Tuesday, April 21, 2020

Vulnerability Spotlight: Zoom Communications user enumeration

Video conferencing and calling software has spiked in popularity as individuals across the globe are forced to stay home due to the COVID-19 pandemic. There are a plethora of players in this space, with one or two getting increased attention. One service in particular — Zoom — has received an enormous amount of attention from the media and users.

Today, Cisco Talos is disclosing a user enumeration vulnerability in Zoom Communications that could allow a malicious user to obtain a complete list of Zoom users inside a specific organization. There has been a lot of discussion around what is and is not a vulnerability and what security features should exist in video conferencing software. This is not the purpose of this blog. This disclosure is made in accordance with our vulnerability disclosure policy, in the interests of ensuring the security and privacy of users at-large against this information disclosure vulnerability.

Vulnerability details

Discovered by Cisco Talos.

TALOS-2020-1052 — Zoom Communications registered user enumeration

Zoom is a video conferencing solution that provides a range of features, one of which is chat functionality. As part of this feature, Zoom offers users the ability to search for contacts within one's organization. Since Zoom communications chat is based on the XMPP standard, the client will send a "group query" XMPP request that specifies a group name. In the case of Zoom's implementation, this group name is actually a registration email domain (e.g. cisco.com).

The vulnerability arises from the lack of validation to ensure the requesting user belongs to a queried domain. This allows arbitrary users to request contact lists of arbitrary registration domains. The exploitation process requires the user to properly authenticate to Zoom with a valid user account, the user then sends an XMPP message with the content below to receive a list of users associated with the domain arbitrary_domain.com:
<iq id='{XXXX}' type='get' from='unknown_xmpp_username@xmpp.zoom.us/ZoomChat_pc' xmlns='jabber:client'>
<query xmlns='zoom:iq:group' chunk='1' directory='1'>
<group id='arbitrary_domain.com' version='0' option='0'/>
</query>
</iq>
In the reply, the Zoom server discloses a directory of users registered under this domain. This includes details such as the autogenerated XMPP username along with the user's first and last names. This information combined with other XMPP queries could be leveraged to disclose further contact information including the user's email address, phone number and any other information that is present in their vCard. As a large number of users come online with video conferencing for the first time, there is a large attack surface. It's important to note that because this is a server-side cloud issue, as is customary, a CVE will not be assigned.

Attack scenario

Organizations need to be aware of the risks relating to remote working, and the potential susceptibility of remote employees to social engineering attacks that take advantage of the current situation.

This vulnerability could be exploited by a spear-phishing attack against known individuals with an organization in order to dump the email addresses of all the Zoom users within the organization. Users who have recently had to install new software in order to set-up remote working may be particularly susceptible to socially-engineered emails that purport to instruct users to install a new or updated trojan horse "Zoom client".

With video teleconferencing suddenly becoming a business-critical function, attackers can be expected to look for weaknesses that can be exploited in order to further their malicious goals. Organizations need to be aware of the risks of user enumeration attacks such as these and take the necessary steps to mitigate such attacks.

Versions tested

Talos tested and confirmed this vulnerability affected Zoom as of April 9, 2020.

Patch Availability


As of the publication of this blog the issue appears to be patched. Since this is a cloud-side vulnerability there is no action required from users or administrators as the issue resided in Zoom's infrastructure.

No comments:

Post a Comment