Zoom Screen-Sharing Glitch ‘Briefly’ Leaks Sensitive Data

silversurfer

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,055
A security blip in the current version of Zoom could inadvertently leak users’ data to other meeting participants on a call. However, the data is only leaked briefly, making a potential attack difficult to carry out.

The flaw (CVE-2021-28133) stems from a glitch in the screen sharing function of video conferencing platform Zoom. This function allows users to share the contents of their screen with other participants in a Zoom conferencing call. They have the option to share their entire screen, one or more application windows or just one selected area of their screen.

However, “under certain conditions” if a Zoom presenter chooses to share one application window, the share-screen feature briefly transmits content of other application windows to meeting participants, according to German-based SySS security consultant Michael Strametz, who discovered the flaw, and researcher Matthias Deeg, in a Thursday disclosure advisory (which has been translated via Google).

“The impact in real-life situations would be sharing confidential data in an unintended way to unauthorized people,” Deeg told Threatpost.

The current Zoom client version, 5.5.4 (13142.0301), for Windows is still vulnerable to the issue, Deeg told Threatpost.
 

Gandalf_The_Grey

Level 76
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,505
From that artice:
The issue occurs in a “reliably reproducible manner” when a user shares one split application window (such as presentation slides in a web browser) while opening other applications (such as a mail client) in the background, in what is supposed to be in non-shared mode. Researchers found, the contents of the explicitly non-shared application window can be perceived for a “brief moment” by meeting participants.

While this would only occur briefly, researchers warn that other meeting participants who are recording the Zoom meeting (either through Zoom’s built-in recording capabilities or via screen recording software like SimpleScreenRecorder) are able to then go back to the recording and fully view any potentially sensitive data leaked through that transmission.

Because this bug would be difficult to actually intentionally exploit (an attacker would need to be a participant in a meeting where data is inadvertently leaked by the bug) the flaw is only medium-severity (5.7 out of 10) on the CVSS scale.

However, “the severity of this issue really depends on the unintended shared data,” Deeg told Threatpost. “In some cases, it doesn’t matter, in other cases, it may cause more trouble.”
The vulnerability was reported to Zoom on Dec. 2 – however, as of the date of public disclosure of the flaw, on Thursday, researchers said they are “not aware of a fix” despite several inquiries for status updates from Zoom.

“Unfortunately, our questions concerning status updates on January 21 and February 1, 2021, remained unanswered,” Deeg told Threatpost. “I hope that Zoom will soon fix this issue and my only advice for all Zoom users… is to be careful when using the screen sharing functionality and [to follow a] strict ‘clean virtual desktop’ policy during Zoom meetings.”

Threatpost has reached out to Zoom for further comment regarding the flaw, and whether it will be fixed in the upcoming release that’s scheduled to go live March 22.

“Zoom takes all reports of security vulnerabilities seriously,” a Zoom spokesperson told Threatpost. “We are aware of this issue, and are working to resolve it.”
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top