COVID-19 , Fraud Management & Cybercrime , Fraud Risk Management

Zoom Contacts Feature Leaks Email Addresses, Photos

Strangers Could Start a Chat with Someone Using Same Email Domain
Zoom Contacts Feature Leaks Email Addresses, Photos
Source: Zoom

Popular teleconferencing software Zoom is continuing to fall under scrutiny as questions are raised over its privacy and security practices.

See Also: The Evolution of Email Security

The latest issue to arise is a feature that's designed to help individuals within an organization quickly connect to others through the desktop app.

According to a report in Motherboard, the feature can expose email addresses, full names and profile photos for certain users when it should not.

The issue would also allow a stranger to initiate a chat with someone. The stranger could also start a call, although the recipient would have to accept the call, Motherboard writes.

Contacts Lookup

The problem revolves around Zoom's "Company Directory" feature in its desktop application. When someone registers with Zoom, Zoom looks to see if others using the same email domain are registered. If so, Zoom adds them to a sub-menu labelled "Company Contacts."

Browsing to that submenu lists other users' email addresses and perhaps their profile photo, if one has been uploaded. It doesn't appear the other person has to accept an invitation before at least a chat can be started.

A user in the Netherlands, Jeroen J.V Lebon, tweeted directly to Zoom about the issue on March 24.

Another user in the Netherlands who highlighted the issue to Motherboard, Barend Gehrels, saw data for at least 1,000 people he didn't know.

Motherboard reports that Gehrels registered email addresses from three Dutch ISPs: xs4all.nl, dds.nl, and quicknet.nl. Zoom then displayed other users who had used email addresses with those domains.

A Growing Blacklist

Zoom tells Information Security Media Group that it blacklists domains that shouldn't be enumerated.

That includes domains for email providers including Google, Microsoft, Yahoo and more, according to its support page.

"We are always working to identify domains to be added to our domain blacklist and ensure it is as up to date as possible," according to a spokesman. "If users are aware of a domain that they think should be blacklisted, but is not, we encourage them to report it to us."

Those who come across a domain that should be blacklisted can file a support request, the spokesman says.

But a test done by ISMG suggests that blacklisting domains may not be the most efficient approach. ISMG registered a non-corporate email address, which then returned the email address and name for an unknown person. As Zoom's business grows amidst the COVID-19 pandemic, it would suggest it may be difficult for the company to keep up with blacklisting a diversifying pool of email domains.

One Twitter user, Mike Puterbaugh, suggested the correct way to Zoom to design the feature would be to only whitelist email domains that are linked to an active Zoom enterprise contract.

Puterbaugh writes that "it had to have taken extra effort to design this wrongly instead of doing it the correct way."

Zoom: Security Questions

Zoom's information leakage issue adds to the bevy of concerns that have been recently raised. That has ranged from its transfer of data to Facebook, its privacy policy and the disruptive practice of "Zoom-bombing," or interlopers joining meetings that haven't been password-protected (see: Zoom Stops Transferring Data by Default to Facebook).

The FBI issued a warning on Monday that Zoom conference should be password protected. At minimum, conference organizers should put new entrants into a virtual "waiting room" rather than let unknown people gain sudden, unfettered access.

Also, New York's Attorney General, Letitia James, had sent a letter to Zoom seeking information about the company's privacy and security practices, including whether attackers could gain control of consumer webcams (see: Fraudsters Take Advantage of Zoom's Popularity).

Fraudsters Leverage Zoom

On Monday, Check Point Software published a report that found 1,700 domains using the Zoom name have been registered since the start of the year, with 25 percent of those coming in the last week. Of those 1,700 domains, Check Point researchers estimate that about 4 percent have "suspicious characteristics," which is likely a sign of fraudsters starting phishing campaigns with Zoom-related messages as a lure. In some cases, the phishing emails and messages that that researchers have observed spoof Zoom login pages and attempt to get victims to input their credentials, which are then harvested by the attackers, the report notes.

In addition to suspicious domains, Check Point notes that its researchers have also uncovered malicious files with names such as "zoom-us-zoom_##########.exe" and "microsoft-teams_V#mu#D_##########.exe." If downloaded on a device, these files install software called InstallCore, which enables attackers to download additional malware onto the device, according to the Check Point report.

Senior Correspondent Apurva Venkat contributed to this story.


About the Author

Jeremy Kirk

Jeremy Kirk

Managing Editor, Security and Technology, ISMG

Kirk is a veteran journalist who has reported from more than a dozen countries. Based in Sydney, he is Managing Editor for Security and Technology for Information Security Media Group. Prior to ISMG, he worked from London and Sydney covering computer security and privacy for International Data Group. Further back, he covered military affairs from Seoul, South Korea, and general assignment news for his hometown paper in Illinois.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing careersinfosecurity.com, you agree to our use of cookies.