Zoom Screen-Sharing Glitch ‘Briefly’ Leaks Sensitive Data

[silversurfer]

A security blip in the current version of Zoom could inadvertently leak users’ data to other meeting participants on a call. However, the data is only leaked briefly, making a potential attack difficult to carry out.
 
The flaw (CVE-2021-28133) stems from a glitch in the screen sharing function of video conferencing platform Zoom. This function allows users to share the contents of their screen with other participants in a Zoom conferencing call. They have the option to share their entire screen, one or more application windows or just one selected area of their screen.
 
However, “under certain conditions” if a Zoom presenter chooses to share one application window, the share-screen feature briefly transmits content of other application windows to meeting participants, according to German-based SySS security consultant Michael Strametz, who discovered the flaw, and researcher Matthias Deeg, in a Thursday disclosure advisory (which has been translated via Google).
 
“The impact in real-life situations would be sharing confidential data in an unintended way to unauthorized people,” Deeg told Threatpost.
The current Zoom client version, 5.5.4 (13142.0301), for Windows is still vulnerable to the issue, Deeg told Threatpost.
 
The issue occurs in a “reliably reproducible manner” when a user shares one split application window (such as presentation slides in a web browser) while opening other applications (such as a mail client) in the background, in what is supposed to be in non-shared mode. Researchers found, the contents of the explicitly non-shared application window can be perceived for a “brief moment” by meeting participants.

Read more: Zoom Screen-Sharing Glitch ‘Briefly’ Leaks Sensitive Data | Threatpost