Zoom is a video conferencing and messaging software with support for many different devices.
A glitch in Zoom’s display-sharing characteristic exhibits elements of presenters’ screens that they did not intend to share – possibly leaking email messages or passwords.
Zoom’s screen-sharing Feature Bug
The flaw tracked as (CVE-2021-28133) stems from a glitch in the screen sharing function of the video conferencing platform Zoom. This function allows users to share the contents of their screen with other participants in a Zoom conferencing call. They have the option to share their entire screen, one or more application windows or just one selected area of their screen.
Under certain conditions, if a Zoom presenter chooses to share one application window, the share-screen feature briefly transmits the content of other application windows to meeting participants, according to German-based SySS security consultant Michael Strametz, who discovered the flaw, and researcher Matthias Deeg.
Depending on the unintentionally shared data, the short exposure of screen contents may be a more or less severe security issue. A participant of a Zoom meeting recording a meeting using a screen recorder software may afterwards have access to sensitive data of other users which is accessible in a few frames of the recorded video.
The current Zoom client version, 5.5.4 (13142.0301), for Windows is still vulnerable to the issue, says Deeg.
The issue occurs in a “reliably reproducible manner” when a user shares one split application window (such as presentation slides in a web browser) while opening other applications (such as a mail client) in the background, in what is supposed to be in non-shared mode.
Researchers found the contents of the explicitly non-shared application window can be perceived for a “brief moment” by meeting participants.
Researchers warn that other meeting participants who are recording the Zoom meeting (either through Zoom’s built-in recording capabilities or via screen recording software like SimpleScreenRecorder) can then go back to the recording and fully view any potentially sensitive data leaked through that transmission.
Because this bug would be difficult to intentionally exploit (an attacker would need to be a participant in a meeting where data is inadvertently leaked by the bug) the flaw is only medium-severity (5.7 out of 10) on the CVSS scale.
The vulnerability was reported to Zoom, however, as of the date of public disclosure of the flaw, researchers said they are “not aware of a fix” despite several inquiries for status updates from Zoom.
“I hope that Zoom will soon fix this issue and my only advice for all Zoom users… is to be careful when using the screen sharing functionality and [to follow a] strict ‘clean virtual desktop’ policy during Zoom meetings.”, says Deeg.
During the coronavirus pandemic driving a lot more businesses to “flatten the curve” by going remote over the previous 12 months and consequently many web conferencing platforms, Zoom has been grappling with different security and privacy issues, including attackers hijacking on the net meetings in what is called Zoom bombing attacks.
Other security issues have come to light in Zoom’s platform over the past year – such as one that could have allowed attackers to crack private meeting passcodes and snoop in on video conferences.
Nevertheless, Zoom has also taken essential actions to protect its conferencing platform, like beefing up its conclude-to-finish encryption and applying other security measures.