A security blip in the current version of Zoom could inadvertently leak users’ data to other meeting participants on a call. However, the data is only leaked briefly, making a potential attack difficult to carry out.
The flaw (CVE-2021-28133) stems from a glitch in the screen sharing function of video conferencing platform Zoom. This function allows users to share the contents of their screen with other participants in a Zoom conferencing call. They have the option to share their entire screen, one or more application windows or just one selected area of their screen.
However, “under certain conditions” if a Zoom presenter chooses to share one application window, the share-screen feature briefly transmits content of other application windows to meeting participants, according to German-based SySS security consultant Michael Strametz, who discovered the flaw, and researcher Matthias Deeg, in a Thursday disclosure advisory (which has been translated via Google).
“The impact in real-life situations would be sharing confidential data in an unintended way to unauthorized people,” Deeg told Threatpost.
The current Zoom client version, 5.5.4 (13142.0301), for Windows is still vulnerable to the issue, Deeg told Threatpost.
The issue occurs in a “reliably reproducible manner” when a user shares one split application window (such as presentation slides in a web browser) while opening other applications (such as a mail client) in the background, in what is supposed to be in non-shared mode. Researchers found, the contents of the explicitly non-shared application window can be perceived for a “brief moment” by meeting participants.
While this would only occur briefly, researchers warn that other meeting participants who are recording the Zoom meeting (either through Zoom’s built-in recording capabilities or via screen recording software like SimpleScreenRecorder) are able to then go back to the recording and fully view any potentially sensitive data leaked through that transmission.
Because this bug would be difficult to actually intentionally exploit (an attacker would need to be a participant in a meeting where data is inadvertently leaked by the bug) the flaw is only medium-severity (5.7 out of 10) on the CVSS scale.
However, “the severity of this issue really depends on the unintended shared data,” Deeg told Threatpost. “In some cases, it doesn’t matter, in other cases, it may cause more trouble.”
For instance, if a conference or webinar panelist was presenting slides to attendees via Zoom, and then opened a password manager or email application in the background, other Zoom participants would be able to access this information.
A proof-of-concept video of the attack is below:
The vulnerability was reported to Zoom on Dec. 2 – however, as of the date of public disclosure of the flaw, on Thursday, researchers said they are “not aware of a fix” despite several inquiries for status updates from Zoom.
“Unfortunately, our questions concerning status updates on January 21 and February 1, 2021, remained unanswered,” Deeg told Threatpost. “I hope that Zoom will soon fix this issue and my only advice for all Zoom users… is to be careful when using the screen sharing functionality and [to follow a] strict ‘clean virtual desktop’ policy during Zoom meetings.”
Threatpost has reached out to Zoom for further comment regarding the flaw, and whether it will be fixed in the upcoming release that’s scheduled to go live March 22.
“Zoom takes all reports of security vulnerabilities seriously,” a Zoom spokesperson told Threatpost. “We are aware of this issue, and are working to resolve it.”
With the coronavirus pandemic driving more organizations to “flatten the curve” by going remote over the past year – and thus various web conferencing platforms – Zoom has been grappling with various security and privacy issues, including attackers hijacking online meetings in what are called Zoom bombing attacks. Other security issues have come to light in Zoom’s platform over the past year – such as one that could have allowed attackers to crack private meeting passcodes and snoop in on video conferences. However, Zoom has also taken important steps to secure its conferencing platform, including beefing up its end-to-end encryption and implementing other security measures.
Register for this LIVE Event: 0-Day Disclosures: Good, Bad & Ugly: On Mar. 24 at 2 p.m. ET, Threatpost tackles how vulnerability disclosures can pose a risk to companies. To be discussed, Microsoft 0-days found in Exchange Servers. Join 0-day hunters from Intel Corp. and veteran bug bounty researchers who will untangle the 0-day economy and unpack what’s on the line for all businesses when it comes to the disclosure process. Register NOW for this LIVE webinar on Wed., Mar. 24.