Customize Consent Preferences

We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.

The cookies that are categorized as "Necessary" are stored on your browser as they are essential for enabling the basic functionalities of the site. ... 

Always Active

Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.

No cookies to display.

Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.

No cookies to display.

Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.

No cookies to display.

Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.

No cookies to display.

Advertisement cookies are used to provide visitors with customized advertisements based on the pages you visited previously and to analyze the effectiveness of the ad campaigns.

No cookies to display.

Zoom Screen-Sharing Issue ‘Briefly’ Leaks Confidential Data!

Zoom Screen-Sharing Issue ‘Briefly’ Leaks Confidential Data!

A problem in Zoom’s screen-sharing facility shows parts of presenters’ screens that they did not intend to share – potentially leaking emails or passwords.

A security slip-up in the current version of Zoom could accidently leak users’ data to other meeting participants on a call. However, the data is only leaked briefly, making a potential attack hard to carry out.

The flaw (CVE-2021-28133) relates to a glitch in the screen-sharing function of video conferencing platform, Zoom. This function allows users to share the contents of their screen with other participants in a Zoom conferencing call. They have the option to share their entire screen, one or more application windows, or just 1 selected area of their screen.

Under Certain Conditions

However, “under certain conditions” if a Zoom presenter chooses to share one application window, the share-screen feature briefly transmits content of other application windows to meeting participants, according to German-based SySS security consultant Michael Strametz, who found the flaw, & researcher Matthias Deeg, in a Thurs. disclosure advisory in German.

“The impact in real-life situations would be sharing confidential data in an unintended way to unauthorised people,” Deeg explained.

The current Zoom client version, 5.5.4 (13142.0301), for Windows is still vulnerable to the issue, Deeg outlined.

Split Application Window

The problem occurs in a “reliably reproducible manner” when a user shares one split application window (such as presentation slides in a web browser) while opening other applications (e.g., a mail client) in the background, in what is supposed to be in ‘non-shared mode’.

Researchers found the contents of the explicitly non-shared application window can be seen for a “brief moment” by meeting participants.

While this would only happen briefly, researchers warned that other meeting members s who are recording the Zoom meeting (either through Zoom’s built-in recording capabilities or via screen recording software like SimpleScreenRecorder) are able to then go back to the recording & fully see any potentially sensitive data leaked via the transmission.

Intentionally Exploit

Because this bug would be difficult to actually intentionally exploit (an attacker would need to be a participant in a meeting where data is inadvertently leaked by the bug) the flaw is only medium severity (5.7 out of 10) on the CVSS scale.

However, “the severity of this issue really depends on the unintended shared data,” Deeg outlined. “In some cases, it doesn’t matter, in other cases, it may cause more trouble.”

For example, if a conference or webinar panellist were presenting slides to attendees via Zoom, & then opened a password manager or email application in the background, other Zoom participants would be able to access this information.

Status Updates

The vulnerability was reported to Zoom last Dec. 2 – however, as of the date of public disclosure, on Thur., researchers commented that they are “not aware of a fix” despite several inquiries for status updates from Zoom.

“Unfortunately, our questions concerning status updates on Jan. 21 & Feb. 1, 2021, remained unanswered,” Deeg explained. “I hope that Zoom will soon fix this issue & my only advice for all Zoom users… is to be careful when using the screen sharing functionality & to follow a strict ‘clean virtual desktop’ policy during Zoom meetings.”

https://www.cybernewsgroup.co.uk/virtual-conference-april-2021/

 

SHARE ARTICLE