4.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:N/A:N
A newly discovered glitch in Zoomβs screen sharing feature can accidentally leak sensitive information to other attendees in a call, according to the latest findings.
Tracked as CVE-2021-28133, the unpatched security vulnerability makes it possible to reveal contents of applications that are not shared, but only briefly, thereby making it harder to exploit it in the wild.
Itβs worth pointing out that the screen sharing functionality in Zoom lets users share an entire desktop or phone screen, or limit sharing to one or more specific applications, or a portion of a screen. The issue stems from the fact that a second application thatβs overlayed on top of an already shared application can reveal its contents for a short period of time.
βWhen a Zoom user shares a specific application window via the βshare screenβ functionality, other meeting participants can briefly see contents of other application windows which were not explicitly shared,β SySS researchers Michael Strametz and Matthias Deeg noted. βThe contents of not shared application windows can, for instance, be seen for a short period of time by other users when those windows overlay the shared application window and get into focus.β
The flaw, which was tested on versions 5.4.3 and 5.5.4 across both Windows and Linux clients, is said to have been disclosed to the videoconferencing company on December 2, 2020. The lack of a fix even after three months could be attributed in part to the difficulty in exploiting the vulnerability.
But nonetheless, this could have serious consequences depending on the nature of the inadvertently shared data, the researchers warned, adding a malicious participant of a Zoom meeting can take advantage of the weakness by making use of a screen capture tool to record the meeting and playback the recording to view the private information.
When reached for a response, a Zoom spokesperson said itβs working to address the issue. βZoom takes all reports of security vulnerabilities seriously,β the company told The Hacker News via email. βWe are aware of this issue, and are working to resolve it.β
Found this article interesting? Follow THN on Facebook, Twitter ο and LinkedIn to read more exclusive content we post.
4.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:N/A:N