- Zoom has a bug that could reveal sensitive information to all meeting participants.
- The flaw lies in the screen sharing function and is triggered by specific actions.
- A malicious individual recording a meeting could analyze the video and find the information in certain frames.
There’s a flaw in Zoom’s screen sharing feature given the ID “CVE-2021-28133”, and which could result in the accidental disclosure of sensitive information to all attendees in a call. The bug was discovered by pentest experts and security consultants Michael Strametz and Matthias Deeg, who actually reported it to Zoom back on December 2, 2020.
Even though more than three months have passed, and the disclosure deadline has been reached, Zoom hasn’t fixed the vulnerability because apparently, the firm doesn’t believe it is critical enough or even easy to exploit.
The flaw’s existence was confirmed on version 5.4.3 and 5.5.4, affecting both Windows and Linux clients. This means the latest version of the Zoom client is still vulnerable to exploitation, so here’s what to watch out for.
Screen sharing is a feature that allows a meeting participant to share the contents of their screen with others. The user has the option to select an area of the screen, specific windows, or everything. Also, the user may share the screen with a selection of the meeting participants, and not all of them. Under certain conditions, Zoom briefly transmits screen content that is outside of the shared selection and to all of the meeting’s participants.
The bug is triggered when splitting an application window that is overlaid with its application window either when opening (under Windows) or when closing (under Linux) another non-split application. Because the sensitive contents are briefly displayed, for like a few frames of the video, it is possible that many won’t even notice. However, and because recording these calls isn’t unusual at all, someone could revisit the video and analyze it frame by frame, freezing to the images that disclose the sensitive information.
This is obviously not hard to exploit, but if the user who wants to protect their sensitive data avoids the triggering actions, everything should stay private. If you want to be sure, just close or minimize the stuff that others shouldn’t see before the meeting begins. We expect Zoom to release a fix now that the flaw has received some publicity, although the firm shouldn’t have delayed the bug's fixing for so long.
Update 20/03: A Zoom spokesperson has reached out following the publication of this article, and has confirmed to us that they will be fixing the flaw soon. Here's the short statement the firm shared:
Zoom takes all reports of security vulnerabilities seriously. We are aware of this issue, and are working to resolve it.