Darknet

Zoom’s screen-sharing Feature Bug Leaks Sensitive Data

Zoom is a video conferencing and messaging software with support for many different devices.

A glitch in Zoom’s display-sharing characteristic exhibits elements of presenters’ screens that they did not intend to share – possibly leaking email messages or passwords.

Zoom’s screen-sharing Feature Bug

The flaw tracked as (CVE-2021-28133) stems from a glitch in the screen sharing function of the video conferencing platform Zoom. This function allows users to share the contents of their screen with other participants in a Zoom conferencing call. They have the option to share their entire screen, one or more application windows or just one selected area of their screen.

Under certain conditions, if a Zoom presenter chooses to share one application window, the share-screen feature briefly transmits the content of other application windows to meeting participants, according to German-based SySS security consultant Michael Strametz, who discovered the flaw, and researcher Matthias Deeg.

Depending on the unintentionally shared data, the short exposure of screen contents may be a more or less severe security issue. A participant of a Zoom meeting recording a meeting using a screen recorder software may afterwards have access to sensitive data of other users which is accessible in a few frames of the recorded video.

The current Zoom client version, 5.5.4 (13142.0301), for Windows is still vulnerable to the issue, says Deeg.

The issue occurs in a “reliably reproducible manner” when a user shares one split application window (such as presentation slides in a web browser) while opening other applications (such as a mail client) in the background, in what is supposed to be in non-shared mode.

Researchers found the contents of the explicitly non-shared application window can be perceived for a “brief moment” by meeting participants.

Researchers warn that other meeting participants who are recording the Zoom meeting (either through Zoom’s built-in recording capabilities or via screen recording software like SimpleScreenRecorder) can then go back to the recording and fully view any potentially sensitive data leaked through that transmission.

Because this bug would be difficult to intentionally exploit (an attacker would need to be a participant in a meeting where data is inadvertently leaked by the bug) the flaw is only medium-severity (5.7 out of 10) on the CVSS scale.

The vulnerability was reported to Zoom, however, as of the date of public disclosure of the flaw, researchers said they are “not aware of a fix” despite several inquiries for status updates from Zoom.

“I hope that Zoom will soon fix this issue and my only advice for all Zoom users… is to be careful when using the screen sharing functionality and [to follow a] strict ‘clean virtual desktop’ policy during Zoom meetings.”, says Deeg.

During the coronavirus pandemic driving a lot more businesses to “flatten the curve” by going remote over the previous 12 months and consequently many web conferencing platforms, Zoom has been grappling with different security and privacy issues, including attackers hijacking on the net meetings in what is called Zoom bombing attacks.

Other security issues have come to light in Zoom’s platform over the past year – such as one that could have allowed attackers to crack private meeting passcodes and snoop in on video conferences.

Nevertheless, Zoom has also taken essential actions to protect its conferencing platform, like beefing up its conclude-to-finish encryption and applying other security measures.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Also Read

Zoom Announced Security Enhancements to Prevent Zoombombing Attacks

Zoom Suddenly Announced End-to-End Encryption for Free Users

Zoom Vulnerability Allow Attackers to Hack Victim Machine via Chat Messages

Guru Baran

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Recent Posts

C2A Security’s EVSec Risk Management and Automation Platform Gains Automotive Industry Favor as Companies Pursue Regulatory Compliance

In 2023, C2A Security added multiple OEMs and Tier 1s to its portfolio of customers,…

12 mins ago

Apple ID “push bombing” Attack Targeting Apple Users to Steal passwords

Apple users are falling prey to a sophisticated phishing campaign designed to hijack their Apple…

2 hours ago

Hackers Using Weaponized Virtual Hard Disk Files to Deliver Remcos RAT

Hackers have been found leveraging weaponized virtual hard disk (VHD) files to deploy the notorious…

3 hours ago

NVIDIA ChatRTX For Windows App Vulnerability Let Attackers Escalate Privilege

A security update released by ChatRTX on March 26th, 2024, addresses two vulnerabilities (CVE-2024-0082 and…

7 hours ago

iPhone Users Beware! Darcula Phishing Service Attacking Via iMessage

A new threat has emerged, targeting unsuspecting iPhone users through the seemingly secure iMefofferssage platform.…

7 hours ago

2 Chrome Zero-Days Exploited At Pwn2Own 2024 : Patch Now

Google patched seven vulnerabilities in the Chrome browser on Tuesday, including two zero-day exploits that…

8 hours ago