A problem in Zoom’s screen-sharing facility shows parts of presenters’ screens that they did not intend to share – potentially leaking emails or passwords.
A security slip-up in the current version of Zoom could accidently leak users’ data to other meeting participants on a call. However, the data is only leaked briefly, making a potential attack hard to carry out.
The flaw (CVE-2021-28133) relates to a glitch in the screen-sharing function of video conferencing platform, Zoom. This function allows users to share the contents of their screen with other participants in a Zoom conferencing call. They have the option to share their entire screen, one or more application windows, or just 1 selected area of their screen.
Under Certain Conditions
However, “under certain conditions” if a Zoom presenter chooses to share one application window, the share-screen feature briefly transmits content of other application windows to meeting participants, according to German-based SySS security consultant Michael Strametz, who found the flaw, & researcher Matthias Deeg, in a Thurs. disclosure advisory in German.
“The impact in real-life situations would be sharing confidential data in an unintended way to unauthorised people,” Deeg explained.
The current Zoom client version, 5.5.4 (13142.0301), for Windows is still vulnerable to the issue, Deeg outlined.
Split Application Window
The problem occurs in a “reliably reproducible manner” when a user shares one split application window (such as presentation slides in a web browser) while opening other applications (e.g., a mail client) in the background, in what is supposed to be in ‘non-shared mode’.
Researchers found the contents of the explicitly non-shared application window can be seen for a “brief moment” by meeting participants.
While this would only happen briefly, researchers warned that other meeting members s who are recording the Zoom meeting (either through Zoom’s built-in recording capabilities or via screen recording software like SimpleScreenRecorder) are able to then go back to the recording & fully see any potentially sensitive data leaked via the transmission.
Because this bug would be difficult to actually intentionally exploit (an attacker would need to be a participant in a meeting where data is inadvertently leaked by the bug) the flaw is only medium severity (5.7 out of 10) on the CVSS scale.
However, “the severity of this issue really depends on the unintended shared data,” Deeg outlined. “In some cases, it doesn’t matter, in other cases, it may cause more trouble.”
For example, if a conference or webinar panellist were presenting slides to attendees via Zoom, & then opened a password manager or email application in the background, other Zoom participants would be able to access this information.
The vulnerability was reported to Zoom last Dec. 2 – however, as of the date of public disclosure, on Thur., researchers commented that they are “not aware of a fix” despite several inquiries for status updates from Zoom.
“Unfortunately, our questions concerning status updates on Jan. 21 & Feb. 1, 2021, remained unanswered,” Deeg explained. “I hope that Zoom will soon fix this issue & my only advice for all Zoom users… is to be careful when using the screen sharing functionality & to follow a strict ‘clean virtual desktop’ policy during Zoom meetings.”