A glitch in Zoom’s screen sharing feature raises security concerns

The glitch in Zoom’s screen sharing feature could accidentally leak users’ data to other meeting participants on a call. However, the data is only leaked briefly making a potential attack difficult to carry out according to Threatpost.

The bug is caused by an error in Zoom’s screen sharing feature. The feature helps users to share the contents of their computer with other Zoom conferencing call participants. They can share their whole screen, one or more program windows, or only a portion of their screen.

Also read: Reports reveal how EALA MPs zoom meetings have cost about UGX 10billion in expenses

Glitch in Zoom’s screen sharing feature could expose personal information

However, if a Zoom presenter wishes to share one application window, the share-screen function temporarily transmits information from other application windows to meeting participants, according to a Thursday disclosure advisory issued by German-based SySS security expert Michael Strametz and researcher Matthias Deeg.

“The impact in real-life situations would be sharing confidential data in an unintended way to unauthorized people,” 

When a user shares one split program window (such as presentation slides in a web browser) while accessing other windows (such as a mail client) in the background in what is intended to be non-shared mode, the glitch in Zoom’s screen sharing feature arises in a “reliably reproducible manner.” According to the results, meeting participants will interpret the contents of the clearly non-shared application window for a “brief moment.”

Because this glitch in Zoom’s screen sharing feature would be difficult to actually intentionally exploit, an attacker would need to be a participant in a meeting where data is accidentally leaked by the bug the flaw is only medium-severity (5.7 out of 10) on the CVSS scale.

However, “the severity of this issue really depends on the unintended shared data,” Deeg told Threatpost. “In some cases, it doesn’t matter, in other cases, it may cause more trouble.”

For instance, if a conference or webinar panellist was presenting slides to those in attendance via Zoom, and then opened a password manager or email application in the background, other Zoom participants would be able to access this information.

The issue was reported to Zoom on 2nd December 2020 however, as of today researchers said they are “not aware of a fix” despite several inquiries for status updates from Zoom. “Zoom takes all reports of security vulnerabilities seriously,” a Zoom spokesperson told Threatpost. “We are aware of this issue, and are working to resolve it.”

With the coronavirus pandemic, more companies have gone remote over the last year and thus numerous video conferencing sites Zoom have been dealing with a variety of security and privacy concerns, including attackers hijacking online meetings. Other security flaws in Zoom’s platform have been discovered in the last year, including one that may have enabled attackers to break private meeting passcodes and eavesdrop on video conferences. Zoom, on the other hand, has taken major steps to protect its conferencing network, including increasing end-to-end encryption and introducing new security controls.

Source: Threatpost

Read more: The best gadgets students need for online classes.

Read more: The launch of the Samsung Galaxy S21 and everything you need to know.

READ: The online child abuse campaign in Uganda has recorded 22,000 reports so far

Stay on top - Get the daily news in your inbox