A new Zoom vulnerability is leaking private data to strangers

The ongoing coronavirus pandemic has companies relying on work collaboration and video conferencing apps like Slack and Zoom. While Zoom has been enjoying its newfound fame, the company has also been a target of attacks and is dealing with vulnerabilities and security breaches.

Earlier today we reported about a security vulnerability which allows anyone you chat with to steal your Windows Login credentials. Now, Vice has published a report that identifies another flaw in Zoom. According to Vice, Zoom is leaking email addresses, user photos, and allowing some users to initiate a video call with strangers. This is because of how the app handles contacts that it perceives work for the same organization.

Apparently, the company has a feature called “Company Directory” that allows users to add others with the same domain so its easier to find can call people. The feature was meant to be users inside an organization where everyone shares the same domain name. However, the software is treating some of the private domains as they were a part of a company and as such, it’s adding thousands of random people to the pool as if they all worked for the same company, exposing their personal information to one another.

The user who tipped Vice about the issue said he could see their full names, their mail addresses, their profile picture (if they have any), their status and you can video call them. He also noted that for the bug to be exploited, a user needs to sign up with a non-standard email like xs4all.nl, dds.nl, and quicknet.nl. These are all Dutch internet service providers (ISPs) which offer email services.

The issue lies in Zoom’s “Company Directory” setting, which automatically adds other people to a user’s lists of contacts if they signed up with an email address that shares the same domain. This can make it easier to find a specific colleague to call when the domain belongs to an individual company. But multiple Zoom users say they signed up with personal email addresses, and Zoom pooled them together with thousands of other people as if they all worked for the same company, exposing their personal information to one another.

– Vice

Vice also found instances of others complaining about the same issue on Twitter. All of the users signed in using Dutch non-standard emails and the app assumed that they were a part of the company.

https://twitter.com/JJVLebon/status/1242175850306580486

Dutch ISP XS4ALL tweeted in response to a complaint, “This is something we cannot disable. You could see if Zoom can help you with this.” Another Dutch ISP DDS told Vice that it was aware about the issue but hasn’t heard anything directly from the customers. Zoom, on the other hand, gave the following statement to Vice:

Zoom maintains a blacklist of domains and regularly proactively identifies domains to be added. With regards to the specific domains that you highlighted in your note, those are now blacklisted.

– Zoom

Additionally, the company also pointed to a section of the website where users can request other domains to be removed from the Company Directory feature. Unfortunately, this is not the first time that the company has been caught with its pants down. Back in 2019, a researcher uncovered a bug that allowed hackers to take control of webcams without the knowledge of the user.

Earlier EFF pointed out how hosts can monitor the participants and know if a window the Zoom window is in focus or not and if users record the video call, then Zoom administrators are able to “access the contents of that recorded call, including video, audio, transcript, and chat files, as well as access to sharing, analytics, and cloud management privileges”. Last week, Zoom was caught sharing data with Facebook and just yesterday we covered Zoom’s bogus claims about end-to-end encryption on group calls.

Update:

Over the next 90 days, Zoom will be using all its resources to better identify, address, and fix security and privacy issues proactively. So, Zoom won’t be adding any new features in the next 3 months. It will also conduct a comprehensive review with third-party experts and representative users to understand and ensure the security of its service. Learn more about this announcement here.