Video conferencing and calling software has spiked in popularity as individuals across the globe are forced to stay home due to the COVID-19 pandemic. There are a plethora of players in this space, with one or two getting increased attention. One service in particular — Zoom — has received an enormous amount of attention from the media and users.
Today, Cisco Talos is disclosing a user enumeration vulnerability in Zoom Communications that could allow a malicious user to obtain a complete list of Zoom users inside a specific organization. There has been a lot of discussion around what is and is not a vulnerability and what security features should exist in video conferencing software. This is not the purpose of this blog. This disclosure is made in accordance with our vulnerability disclosure policy, in the interests of ensuring the security and privacy of users at-large against this information disclosure vulnerability.
Vulnerability details
Discovered by Cisco Talos.
TALOS-2020-1052 — Zoom Communications registered user enumeration
Zoom is a video conferencing solution that provides a range of features, one of which is chat functionality. As part of this feature, Zoom offers users the ability to search for contacts within one's organization. Since Zoom communications chat is based on the XMPP standard, the client will send a "group query" XMPP request that specifies a group name. In the case of Zoom's implementation, this group name is actually a registration email domain (e.g. cisco.com).
The vulnerability arises from the lack of validation to ensure the requesting user belongs to a queried domain. This allows arbitrary users to req ..
Support the originator by clicking the read the rest link below.
