In recent reports, a new Zoom bug has been found to be disclosing personal, sensitive information to fellow attendees present in a Zoom meeting.
The Zoom glitch:
Detailing the seemingly severe app glitch, the vulnerability provides the possibility of briefly being able to see applications that have not been given permission to be shared by the Zoom caller.
In a normal case scenario, Zoom functionalities include the feature of being able to ‘screen share’ when in a video call. Here, users can essentially broadcast their desktop or mobile phone screens for other attendees to visualize. In an added feature, a limited screen or application can also be shared as per the user’s requirement.
However, in case of the glitch impacting the aforementioned screen sharing functionality, a second application that is capped on top of an already shared application can display its contents for brief moments.
The security vulnerability, tracked as CVE-2021-28133, currently remains unpatched.
Security experts are of the opinion that since the Zoom glitch allows the unintentional sharing of overlapped applications only for a brief period of time, it is rather difficult to exploit it in the wild.
Hazards of the Zoom bug:
Regardless of the short span of visible time or the difficulty of vulnerability exploitation, this glitch can have severe repercussions in light of the nature of the unwittingly shared information or data.
In a rather plausible scenario, a malicious participant of a Zoom meeting can leverage the glitch by utilizing a screen recording tool to record the meeting and playback the recording to access the sensitive information.
It is speculated that when the glitch was trialed in versions 5.4.3 and 5.5.4 across both Windows and Linux systems, Zoom was made aware of the vulnerability back in December 2020.
However, the still unpatched security vulnerability can be drawn up to the fact that it is difficult to abuse or exploit and hence is yet to be addressed.
From Zoom’s perspective, the video teleconference company states that they “take all reports of security vulnerabilities seriously and are working to resolve it.”