A researcher found a severe cross-site scripting (XSS) vulnerability in the Zoom Whiteboard app. Zoom patched the flaw in time, preventing any malicious exploitation.
Zoom Whiteboard Vulnerability
Sharing the details in a blog post, Eugene Lim, aka Spaceraccoon, elaborated on a cross-site scripting vulnerability in the Zoom Whiteboard app.
Zoom Whiteboard is a relatively new feature launched in early 2022 with Zoom version 5.10.3 as an interactive platform for users to share presentations, ideas, lectures, etc., with creative visuals such as hand-drawn sketches. To support these features, the platform supports different objects, like shapes, texts, rich text, images, and sticky notes. This near-real-time communication functionality is achieved using JavaScript and an embedded browser. Both the web and native client Zoom versions support this feature.
While scanning the client-side code for this feature, the researcher highlighted the Protocol Buffer (protobuf) as the key area triggering XSS. Protocol Buffer is an open-source, language-neutral, cross-platform mechanism for serializing structured data. It facilitates developing programs in communicating over a network or for data storage.
In Zoom Whiteboard, protocol buffers transfer the ClipboardItem objects from the Clipboard via Websocket from the client to the server. Simply put, it transmits the pasted data “as-is” to the server. That’s where the researcher observed an XSS, especially when transferring HTML objects.
While the client transforms the protobuf object into the React component, where React automatically sanitizes HTML, the researcher observed that some tags still escaped sanitization.
Lim demonstrated this flaw by adding a script to the Clipboard, pasting which triggered the XSS since it escaped sanitization.
Zoom Patched The Flaw
After discovering the bug, the researcher disclosed the vulnerability to Zoom officials on July 28, 2022. He appreciated the prompt response from Zoom, who quickly triaged the bug and released a fix on August 21, 2022.
Since the patch has been released already, Zoom users must have received the bug fixes by now. Nonetheless, it’s better to ensure your devices are running the latest Zoom versions.
– LHN