A researcher found a severe cross-site scripting (XSS) vulnerability in the Zoom Whiteboard app. Zoom patched the flaw in time, preventing any malicious exploitation.
Zoom Whiteboard Vulnerability
Sharing the details in a blog post, Eugene Lim, aka Spaceraccoon, elaborated on a cross-site scripting vulnerability in the Zoom Whiteboard app.
While scanning the client-side code for this feature, the researcher highlighted the Protocol Buffer (
protobuf) as the key area triggering XSS. Protocol Buffer is an open-source, language-neutral, cross-platform mechanism for serializing structured data. It facilitates developing programs in communicating over a network or for data storage.
In Zoom Whiteboard, protocol buffers transfer the
ClipboardItem objects from the Clipboard via Websocket from the client to the server. Simply put, it transmits the pasted data “as-is” to the server. That’s where the researcher observed an XSS, especially when transferring HTML objects.
While the client transforms the
protobuf object into the
React component, where React automatically sanitizes HTML, the researcher observed that some tags still escaped sanitization.
Lim demonstrated this flaw by adding a script to the Clipboard, pasting which triggered the XSS since it escaped sanitization.
Zoom Patched The Flaw
After discovering the bug, the researcher disclosed the vulnerability to Zoom officials on July 28, 2022. He appreciated the prompt response from Zoom, who quickly triaged the bug and released a fix on August 21, 2022.
Since the patch has been released already, Zoom users must have received the bug fixes by now. Nonetheless, it’s better to ensure your devices are running the latest Zoom versions.