A German cybersecurity firm discovers a bug in Zoom apps for Windows and Linux, but the platform believes there is no risk to users, as things stand.
Researchers at German cybersecurity firm SySS have discovered a serious security bug in Zoom, one of the world's most widely used video conferencing platforms. The bug is very specific: it manifests itself only on Windows and Linux apps and only when screen sharing is enabled. However, the consequences of this bug could be quite serious, which is why researchers made this problem known after waiting, unsuccessfully, for Zoom to fix it.
Something Zoom didn't do most likely because the problem manifests itself on very particular occasions and to exploit it for illicit purposes you need to know about it and it is essential that the attacker is recording the screen during the video conferencing session or one-to-one video call. A coincidence of events, therefore, that Zoom considers unlikely if the problem does not become known to the general public. Now, however, everyone knows about the problem and everyone can use it to their advantage. That's why it's right to be very careful when using Zoom, while waiting for the final solution to arrive with a fix patch. Here's how the Zoom bug works and in which particular occasions we should be careful.
Zoom bug: when it occurs
The bug discovered by SySS researchers manifests itself when we are sharing the screen. On Zoom, you can choose whether to share the whole screen, just a window, or just a portion of the screen. If we choose to share only one window, the problem may arise: if an app opens in the background just below the window we are sharing on Zoom, for a few fractions of a second this new window will be visible to all users connected in the same meeting.
This is a very short time (very few fractions of a second) not enough to read with the naked eye the information contained in the window that appeared and disappeared so quickly. But if someone is recording the meeting things change: in the final recording there will be a few (but fundamental) frames showing the open window in the background and all its content.
Content that, of course, could be anything: from our email account to the browser, passing through the access to our online bank account. From a technical point of view, in fact, nothing changes: whatever is opened will be displayed and shared with everyone, albeit for a very short time.
Zoom doesn't respond
From the experiments done by SySS, the bug only occurs with Zoom versions 5.4.3 and 5.5.4 for Windows and Linux, while on macOS and mobile it doesn't. SySS notified Zoom about the existence of this security vulnerability back in December, but did not get any response. Per questo motivo la società tedesca ha deciso di rendere noto a tutti il bug, una scelta fatta spesso dalle aziende e dai ricercatori quando non ottengono risposta sui bug scoperti, al fine di fare pressione sugli sviluppatori.
Una scelta in larga parte condivisibile, visto che da qualche tempo è possibile condividere una riunione di Zoom su YouTube e questo moltiplica il numero di persone che potrebbero accedere ai dati riservati di chi trasmette il proprio schermo.
Zoom, come tutte le grandi piattaforme Web del mondo, ha infatti un “bounty program" che prevede ricompense in denaro per chi scopre delle vulnerabilità di sicurezza e non le rende pubbliche fino a quando non vengono risolte. Questa volta, però, Zoom ha ritenuto il bug scoperto da SySS non sufficientemente grave da meritare una ricompensa. Forse ora cambierà idea.