"Zoom Screen-Sharing Glitch ‘Briefly’ Leaks Sensitive Data"
Security researchers found a security blip in the current version of Zoom, which could inadvertently leak users' data to other meeting participants on a call. The data is only leaked briefly, making a potential attack difficult to carry out. The flaw (CVE-2021-28133) stems from a glitch in the video conferencing platform Zoom's screen sharing function. When a user shares one split application window (such as presentation slides in a web browser) while opening other applications (such as a mail client) in the background, in what is supposed to be in non-shared mode, researchers found that the contents of the explicitly non-shared application window can be perceived for a "brief moment" by meeting participants. While this would only occur briefly, researchers warn that other meeting participants who are recording the Zoom meeting (either through Zoom's built-in recording capabilities or via screen recording software like SimpleScreenRecorder) can go back to the recording and fully view any potentially sensitive data leaked through that transmission. Because this bug would be difficult to exploit intentionally (an attacker would need to be a participant in a meeting where the bug inadvertently leaks data), the flaw is only medium-severity (5.7 out of 10) on the CVSS scale.
Threatpost reports: "Zoom Screen-Sharing Glitch ‘Briefly’ Leaks Sensitive Data"