Zoom Contacts Feature Leaks Email Addresses, PhotosStrangers Could Start a Chat with Someone Using Same Email Domain
Popular teleconferencing software Zoom is continuing to fall under scrutiny as questions are raised over its privacy and security practices.
The latest issue to arise is a feature that's designed to help individuals within an organization quickly connect to others through the desktop app.
According to a report in Motherboard, the feature can expose email addresses, full names and profile photos for certain users when it should not.
The issue would also allow a stranger to initiate a chat with someone. The stranger could also start a call, although the recipient would have to accept the call, Motherboard writes.
The problem revolves around Zoom's "Company Directory" feature in its desktop application. When someone registers with Zoom, Zoom looks to see if others using the same email domain are registered. If so, Zoom adds them to a sub-menu labelled "Company Contacts."
Browsing to that submenu lists other users' email addresses and perhaps their profile photo, if one has been uploaded. It doesn't appear the other person has to accept an invitation before at least a chat can be started.
A user in the Netherlands, Jeroen J.V Lebon, tweeted directly to Zoom about the issue on March 24.
@zoom_us I just had a look at the free for private use version of Zoom and registered with my private email. I now got 1000 names, email addresses and even pictures of people in the company Directory. Is this intentional? #GDPR pic.twitter.com/bw5xZIGtSE— Jeroen J.V Lebon (@JJVLebon) March 23, 2020
Another user in the Netherlands who highlighted the issue to Motherboard, Barend Gehrels, saw data for at least 1,000 people he didn't know.
Motherboard reports that Gehrels registered email addresses from three Dutch ISPs: xs4all.nl, dds.nl, and quicknet.nl. Zoom then displayed other users who had used email addresses with those domains.
A Growing Blacklist
Zoom tells Information Security Media Group that it blacklists domains that shouldn't be enumerated.
That includes domains for email providers including Google, Microsoft, Yahoo and more, according to its support page.
"We are always working to identify domains to be added to our domain blacklist and ensure it is as up to date as possible," according to a spokesman. "If users are aware of a domain that they think should be blacklisted, but is not, we encourage them to report it to us."
Those who come across a domain that should be blacklisted can file a support request, the spokesman says.
But a test done by ISMG suggests that blacklisting domains may not be the most efficient approach. ISMG registered a non-corporate email address, which then returned the email address and name for an unknown person. As Zoom's business grows amidst the COVID-19 pandemic, it would suggest it may be difficult for the company to keep up with blacklisting a diversifying pool of email domains.
One Twitter user, Mike Puterbaugh, suggested the correct way to Zoom to design the feature would be to only whitelist email domains that are linked to an active Zoom enterprise contract.
Puterbaugh writes that "it had to have taken extra effort to design this wrongly instead of doing it the correct way."
Zoom: Security Questions
The FBI issued a warning on Monday that Zoom conference should be password protected. At minimum, conference organizers should put new entrants into a virtual "waiting room" rather than let unknown people gain sudden, unfettered access.
Also, New York's Attorney General, Letitia James, had sent a letter to Zoom seeking information about the company's privacy and security practices, including whether attackers could gain control of consumer webcams (see: Fraudsters Take Advantage of Zoom's Popularity).
Fraudsters Leverage Zoom
On Monday, Check Point Software published a report that found 1,700 domains using the Zoom name have been registered since the start of the year, with 25 percent of those coming in the last week. Of those 1,700 domains, Check Point researchers estimate that about 4 percent have "suspicious characteristics," which is likely a sign of fraudsters starting phishing campaigns with Zoom-related messages as a lure. In some cases, the phishing emails and messages that that researchers have observed spoof Zoom login pages and attempt to get victims to input their credentials, which are then harvested by the attackers, the report notes.
In addition to suspicious domains, Check Point notes that its researchers have also uncovered malicious files with names such as "zoom-us-zoom_##########.exe" and "microsoft-teams_V#mu#D_##########.exe." If downloaded on a device, these files install software called InstallCore, which enables attackers to download additional malware onto the device, according to the Check Point report.
Senior Correspondent Apurva Venkat contributed to this story.