Security researchers Michael Strametz and Matthias Deeg of SySS have discovered a vulnerability (CVE-2021-28133) in the Zoom screen sharing feature that could allow confidential user information to be shared with other call participants.
The detected problem allows to identify the content of applications that are not shared, but only for a short time, making it difficult to exploit the vulnerability in real attacks. Zoom's screen sharing feature allows users to share an entire desktop or phone screen, or restrict sharing to one or more specific apps or part of the screen. The problem arises because a second application running on top of an already shared application can reveal its contents within a short period of time.
"When a Zoom user grants access to a specific application window using the screen share function, other participants in the meeting may briefly see the contents of other application windows," the researchers noted.
Experts spotted an issue in Zoom 5.4.3 and 5.5.4 for Windows and Linux and reported their findings to the company on December 2, 2020. Three months have passed since then, but the company has not released a fix for this vulnerability. Presumably, this may be due to the complexity of its operation in real attacks.