{
    "file_item": {
        "filepath": "security-advisories",
        "filename": "CERT-EU-SA2018-007.pdf"
    },
    "title": "Unauthorized Personal Data Sharing",
    "serial_number": "2018-007",
    "publish_date": "30-03-2018 14:49:00",
    "description": "CERT-EU has recently observed the usage of software tools and components that might lead to unauthorized personal data leakage. These components are often available in the form of browser extensions or plugins, or e-mail clients plugins. Examples include: Zoominfo, Data.com, InsideView, NetProspex, DiscoverOrg, or LeadIQ. Depending on the machine configuration and policy, these components may be often installed by the users themselves -- without any need for administrator access. Once installed, these components typically gather contact information (address books, etc.), which are then exfiltrated and shared with third parties. Such indiscriminate sharing of corporate address books and other similar data creates potential issues under the new European GDPR directive, and hence should be avoided.",
    "url_title": "2018-007",
    "content_markdown": "---\ntitle: 'Unauthorized Personal Data Sharing'\nversion: '1.0'\nnumber: '2018-007'\ndate: 'March 29, 2018'\n---\n\n_History:_\n\n* _29/03/2018 --- v1.0: Initial publication_\n\n\n# Summary\n\nWe have observed the usage of software tools and components that might lead to unauthorized personal data leakage. These components are often available in the form of browser extensions or plugins, or e-mail clients plugins. Examples include: Zoominfo, Data.com, InsideView,  NetProspex, DiscoverOrg, or LeadIQ.\n\nDepending on the machine configuration and policy, these components may be often installed by the users themselves -- without any need for administrator access. Once installed, these components typically gather contact information (address books, etc.), which are then exfiltrated and shared with third parties. Such indiscriminate sharing of corporate address books and other similar data creates potential issues under the new European GDPR directive, and hence should be avoided.\n\n# Technical Details\n\nWhile several products exist, this description of technical details focuses on a specific example of Zoominfo, which is relevant to most organizations using Outlook e-mail client and Exchange e-mail server.\n\nZoominfo is providing an Outlook plugin -- `ZoomInfoContactContributor` -- used to share contacts and receive access to the Zoominfo database.\nDuring the installation of the plugin additional components are downloaded from `freshcontacts.com`.  In most cases (but depending on local policy and configuration of the end-user machine), the **administrative rights are not needed** for the installation of the plugin.\n\nOnce the plugin is installed it starts sharing the addressbook entries with the Zoominfo database (and its customers).\n\n# Recommendations\n\nCheck if you are affected by searching in your network logs hits to domains such as `zoominfo.com` and `freshcontacts.com`.\n\nMore broadly search for other potential unwanted tools and components that might be used for data leakage such as Data.com, InsideView,  NetProspex, DiscoverOrg, LeadIQ, and others.\n\nIn case you are affected report to your Data Protection Authority. In any case, check that you have the necessary controls in place by for instance following the ENISA guide [1].\n\nTo prevent the possibility of unauthorized personal data sharing through the components described in this advisory, consider enforcing a policy that would prevent end-users from installing browser arbitrary browser extensions as well as e-mail client plugins.\n\n# References\n\n[1] <https://www.enisa.europa.eu/publications/art4_tech>\n",
    "content_html": "<p><em>History:</em></p><ul><li><em>29/03/2018 --- v1.0: Initial publication</em></li></ul><h2 id=\"summary\">Summary</h2><p>We have observed the usage of software tools and components that might lead to unauthorized personal data leakage. These components are often available in the form of browser extensions or plugins, or e-mail clients plugins. Examples include: Zoominfo, Data.com, InsideView, NetProspex, DiscoverOrg, or LeadIQ.</p><p>Depending on the machine configuration and policy, these components may be often installed by the users themselves -- without any need for administrator access. Once installed, these components typically gather contact information (address books, etc.), which are then exfiltrated and shared with third parties. Such indiscriminate sharing of corporate address books and other similar data creates potential issues under the new European GDPR directive, and hence should be avoided.</p><h2 id=\"technical-details\">Technical Details</h2><p>While several products exist, this description of technical details focuses on a specific example of Zoominfo, which is relevant to most organizations using Outlook e-mail client and Exchange e-mail server.</p><p>Zoominfo is providing an Outlook plugin -- <code>ZoomInfoContactContributor</code> -- used to share contacts and receive access to the Zoominfo database. During the installation of the plugin additional components are downloaded from <code>freshcontacts.com</code>. In most cases (but depending on local policy and configuration of the end-user machine), the <strong>administrative rights are not needed</strong> for the installation of the plugin.</p><p>Once the plugin is installed it starts sharing the addressbook entries with the Zoominfo database (and its customers).</p><h2 id=\"recommendations\">Recommendations</h2><p>Check if you are affected by searching in your network logs hits to domains such as <code>zoominfo.com</code> and <code>freshcontacts.com</code>.</p><p>More broadly search for other potential unwanted tools and components that might be used for data leakage such as Data.com, InsideView, NetProspex, DiscoverOrg, LeadIQ, and others.</p><p>In case you are affected report to your Data Protection Authority. In any case, check that you have the necessary controls in place by for instance following the ENISA guide [1].</p><p>To prevent the possibility of unauthorized personal data sharing through the components described in this advisory, consider enforcing a policy that would prevent end-users from installing browser arbitrary browser extensions as well as e-mail client plugins.</p><h2 id=\"references\">References</h2><p>[1] <a rel=\"noopener\" target=\"_blank\" href=\"https://www.enisa.europa.eu/publications/art4_tech\">https://www.enisa.europa.eu/publications/art4_tech</a></p>",
    "licence": {
        "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)",
        "link": "https://creativecommons.org/licenses/by/4.0/",
        "restrictions": "https://cert.europa.eu/legal-notice",
        "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies"
    }
}