Skip to main content

Zoom security flaw lets other people see way too much

zoom security flaw
(Image credit: Zoom)

A security glitch in Zoom’s screen-sharing feature could potentially put users’ data at risk. The flaw briefly lets people see parts of a presenter’s screen that shouldn't have been visible at all.

That means the presenter could inadvertently be broadcasting sensitive information, such as usernames and passwords, without even realizing it. Plus there’s always the potential for embarrassing stuff to show up at the same time.

Zoom gives presenters the option to share a view of their entire screen, certain applications, or a very select area of the screen. This new flaw, discovered by SySS security consultants Michael Strametz and Matthias Deeg, means that “under certain conditions” the single-application view doesn't work correctly.

Rather than broadcasting one app, and only one app, viewers would briefly be able to see other windows on a presenter’s screen. 

The researchers found that other applications were only open for “a brief moment”, but that may well be enough for a vigilant viewer to get a glimpse of sensitive information.

That’s especially concerning if any participants are recording the meeting. Even if people can’t register any information during the brief moment the other screens are visible, viewers could go back through their recordings and snoop around.

Of course there are difficulties in exploiting this bug, since it would rely on an attacker actually being present on the call in the first place. The severity also depends on how the kind of data that’s shared. Items like the screens of password managers would be a major concern, as would the contents of sensitive emails.

Then again, if other Zoom meeting participants saw you looking at a Reddit page of cute animals, it wouldn't be as serious a problem. It may be a little embarrassing for that to be on display to everyone, but it’s not going to negatively impact your life.

The flaw was reported to Zoom on December 2, but the researchers say that they are “not aware of a fix”. The current version of Zoom for Windows, version 5.5.4 (13142.0301), is still vulnerable, and researchers say the problem can occur in a “reliably reproducible manner”.

Zoom told Threatpost that it is aware of the issue and is working to resolve the problem. In the meantime, you should be more careful about the things you do while presenting on Zoom. Don’t open any applications you want to keep private.

  • More: Zoom Bombing: How to keep trolls out of your Zoom meetings
Tom Pritchard

Tom covers a little bit of everything at Tom’s Guide, ranging from the latest electric cars all the way down to hot takes on why Christopher Nolan is wrong about everything. Appliances are also muscling their way into his routine, which is a pretty long way from his days as Editor at Gizmodo UK. He’s usually found trying to squeeze another giant Lego set onto the shelf, draining very large cups of coffee, or complaining that Ikea won’t let him buy the stuff he really needs online.