Zoom doesn’t properly validate certain XMPP requests coming from the clients, which can lead to disclosure of details about registered users.
Zoom Service As Of April 9th 2020
6.5 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CWE-202 - Exposure of Sensitive Data Through Data Queries
Zoom is a video conferencing solution that offers a myriad of features. One of the services offered is chat with users contacts.
Zoom’s chat functionality is built on top of XMPP standard. One of the features Zoom offers is searching for contacts within one’s organization. To look up contact’s within one’s organization, Zoom client will send group query XMPP request which specify a group name which in Zoom’s implementation is actually a registration email domain.
However, no validation is performed to make sure the requesting user belongs to a queried domain, so arbitrary users can request contact lists of arbitrary registration domains.
After being properly authenticated, a user needs to send a XMPP message of the following content in order to receive a list of users associated with the specified domain:
<iq id='{XXXX}' type='get' from='unknown_xmpp_username@xmpp.zoom.us/ZoomChat_pc' xmlns='jabber:client'>
<query xmlns='zoom:iq:group' chunk='1' directory='1'>
<group id='arbitrary_domain.com' version='0' option='0'/>
</query>
</iq>
In the reply, Zoom server will disclose a directory of users registered under the same domain. The initial details include user’s associated autogenerated XMPP username as well as first and last name. It is likely that combined with other XMPP queries, this could be used to disclose further contact information.
2020-04-09 - Initial contact
2020-04-21 - Public Release
Discovered by Cisco Talos.
This vulnerability has not been disclosed and cannot be viewed at this time.