[BreachExchange] Zoom Contacts Feature Leaks Email Addresses, Photos

Destry Winant destry at riskbasedsecurity.com
Thu Apr 2 10:24:14 EDT 2020


Popular teleconferencing software Zoom is continuing to fall under
scrutiny as questions are raised over its privacy and security

See Also: Live Webinar | More Data, More Problems: Applying the Right
Automation to Propel Security Operations

The latest issue to arise is a feature that's designed to help
individuals within an organization quickly connect to others through
the desktop app.

According to a report in Motherboard, the feature can expose email
addresses, full names and profile photos for certain users when it
should not.

The issue would also allow a stranger to initiate a chat with someone.
The stranger could also start a call, although the recipient would
have to accept the call, Motherboard writes.

Contacts Lookup

The problem revolves around Zoom's "Company Directory" feature in its
desktop application. When someone registers with Zoom, Zoom looks to
see if others using the same email domain are registered. If so, Zoom
adds them to a sub-menu labelled "Company Contacts."

Browsing to that submenu lists other users' email addresses and
perhaps their profile photo, if one has been uploaded. It doesn't
appear the other person has to accept an invitation before at least a
chat can be started.

A user in the Netherlands, Jeroen J.V Lebon, tweeted directly to Zoom
about the issue on March 24.

Jeroen J.V Lebon at JJVLebon

@zoom_us I just had a look at the free for private use version of Zoom
and registered with my private email. I now got 1000 names, email
addresses and even pictures of people in the company Directory. Is
this intentional? #GDPR

2:46 PM - Mar 23, 2020 · Den Helder, Nederland
Twitter Ads info and privacy

See Jeroen J.V Lebon's other Tweets

Another user in the Netherlands who highlighted the issue to
Motherboard, Barend Gehrels, saw data for at least 1,000 people he
didn't know.

Motherboard reports that Gehrels registered email addresses from three
Dutch ISPs: xs4all.nl, dds.nl, and quicknet.nl. Zoom then displayed
other users who had used email addresses with those domains.

A Growing Blacklist

Zoom tells Information Security Media Group that it blacklists domains
that shouldn't be enumerated.

That includes domains for email providers including Google, Microsoft,
Yahoo and more, according to its support page.

"We are always working to identify domains to be added to our domain
blacklist and ensure it is as up to date as possible," according to a
spokesman. "If users are aware of a domain that they think should be
blacklisted, but is not, we encourage them to report it to us."

Those who come across a domain that should be blacklisted can file a
support request, the spokesman says.

But a test done by ISMG suggests that blacklisting domains may not be
the most efficient approach. ISMG registered a non-corporate email
address, which then returned the email address and name for an unknown
person. As Zoom's business grows amidst the COVID-19 pandemic, it
would suggest it may be difficult for the company to keep up with
blacklisting a diversifying pool of email domains.

One Twitter user, Mike Puterbaugh, suggested the correct way to Zoom
to design the feature would be to only whitelist email domains that
are linked to an active Zoom enterprise contract.

Puterbaugh writes that "it had to have taken extra effort to design
this wrongly instead of doing it the correct way."

Zoom: Security Questions

Zoom's information leakage issue adds to the bevy of concerns that
have been recently raised. That has ranged from its transfer of data
to Facebook, its privacy policy and the disruptive practice of
"Zoom-bombing," or interlopers joining meetings that haven't been
password-protected (see: Zoom Stops Transferring Data by Default to

The FBI issued a warning on Monday that Zoom conference should be
password protected. At minimum, conference organizers should put new
entrants into a virtual "waiting room" rather than let unknown people
gain sudden, unfettered access.

Also, New York's Attorney General, Letitia James, had sent a letter to
Zoom seeking information about the company's privacy and security
practices, including whether attackers could gain control of consumer
webcams (see: Fraudsters Take Advantage of Zoom's Popularity).

Fraudsters Leverage Zoom

On Monday, Check Point Software published a report that found 1,700
domains using the Zoom name have been registered since the start of
the year, with 25 percent of those coming in the last week. Of those
1,700 domains, Check Point researchers estimate that about 4 percent
have "suspicious characteristics," which is likely a sign of
fraudsters starting phishing campaigns with Zoom-related messages as a
lure. In some cases, the phishing emails and messages that that
researchers have observed spoof Zoom login pages and attempt to get
victims to input their credentials, which are then harvested by the
attackers, the report notes.

In addition to suspicious domains, Check Point notes that its
researchers have also uncovered malicious files with names such as
"zoom-us-zoom_##########.exe" and
"microsoft-teams_V#mu#D_##########.exe." If downloaded on a device,
these files install software called InstallCore, which enables
attackers to download additional malware onto the device, according to
the Check Point report.

More information about the BreachExchange mailing list