A newly discovered glitch in Zoom’s screen sharing feature can accidentally leak sensitive information to other attendees in a call, according to the latest findings.
Tracked as CVE-2021-28133, the unpatched security vulnerability makes it possible to reveal contents of applications that are not shared, but only briefly, thereby making it harder to exploit it in the wild.
It’s worth pointing out that the screen sharing functionality in Zoom lets users share an entire desktop or phone screen, or limit sharing to one or more specific applications, or a portion of a screen. The issue stems from the fact that a second application that’s overlayed on top of an already shared application can reveal its contents for a short period of time.
“When a Zoom user shares a specific application window via the ‘share screen’ functionality, other meeting participants can briefly see contents of other application windows which were not explicitly shared,” SySS researchers Michael Strametz and Matthias Deeg noted. “The contents of not shared application windows can, for instance, be seen for a short period of time by other users when those windows overlay the shared application window and get into focus.”
https://www.youtube.com/watch?v=SonmmgQlLzg
The flaw, which was tested on versions 5.4.3 and 5.5.4 across both Windows and Linux clients, is said to have been disclosed to the videoconferencing company on December 2, 2020. The lack of a fix even after three months could be attributed in part to the difficulty in exploiting the vulnerability.
But nonetheless, this could have serious consequences depending on the nature of the inadvertently shared data, the researchers warned, adding a malicious participant of a Zoom meeting can take advantage of the weakness by making use of a screen capture tool to record the meeting and playback the recording to view the private information.
When reached for a response, a Zoom spokesperson said it’s working to address the issue. “Zoom takes all reports of security vulnerabilities seriously,” the company told The Hacker News via email. “We are aware of this issue, and are working to resolve it.”
Leave a Reply