Security News > 2020 > April > Flaw Could Have Allowed Hackers to Identify All Zoom Users in a Company
A vulnerability in Zoom's video conferencing service could have been abused to enumerate all of the registered Zoom users within an organization, Cisco Talos reports.
Zoom has drawn a lot of attention over the past several weeks, especially since many organizations have asked employees to work from home during the current COVID-19 pandemic, and, for many, Zoom has become the main option for internal communication.
Talos security researchers discovered that it was possible for a malicious actor to obtain a complete list of Zoom users inside a specific organization.
To exploit the issue, an attacker would need to properly authenticate to Zoom with a valid user account, then send a crafted XMPP message to receive a list of users associated with the targeted domain.
The reply from the Zoom server provided the attacker with a directory of users registered under that domain.