Talos Vulnerability Report

TALOS-2020-1052

Zoom Communications Registered Users Enumeration

April 21, 2020
CVE Number

Summary

Zoom doesn’t properly validate certain XMPP requests coming from the clients, which can lead to disclosure of details about registered users.

Tested Versions

Zoom Service As Of April 9th 2020

Product URLs

https://zoom.us

CVSSv3 Score

6.5 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CWE

CWE-202 - Exposure of Sensitive Data Through Data Queries

Details

Zoom is a video conferencing solution that offers a myriad of features. One of the services offered is chat with users contacts.

Zoom’s chat functionality is built on top of XMPP standard. One of the features Zoom offers is searching for contacts within one’s organization. To look up contact’s within one’s organization, Zoom client will send group query XMPP request which specify a group name which in Zoom’s implementation is actually a registration email domain. However, no validation is performed to make sure the requesting user belongs to a queried domain, so arbitrary users can request contact lists of arbitrary registration domains.

After being properly authenticated, a user needs to send a XMPP message of the following content in order to receive a list of users associated with the specified domain:

<iq id='{XXXX}' type='get' from='unknown_xmpp_username@xmpp.zoom.us/ZoomChat_pc' xmlns='jabber:client'>
    <query xmlns='zoom:iq:group' chunk='1' directory='1'>
        <group id='arbitrary_domain.com' version='0' option='0'/>
    </query>
</iq>

In the reply, Zoom server will disclose a directory of users registered under the same domain. The initial details include user’s associated autogenerated XMPP username as well as first and last name. It is likely that combined with other XMPP queries, this could be used to disclose further contact information.

Timeline

2020-04-09 - Initial contact

2020-04-21 - Public Release

Credit

Discovered by Cisco Talos.