An attacker discovered a serious cross-site scripting vulnerability (XSS), in Zoom Whiteboard’s app. Zoom fixed the issue quickly to prevent any malicious exploit.
Zoom Whiteboard vulnerability
Eugene Lim (aka Spaceraccoon) shared the details of a and discussed a vulnerability for cross-site scripting in Zoom Whiteboard.
The researcher identified the Protocol Buffer (
prototypebuf) in the client-side code that triggers XSS while scanning it. Protocol Buffer, an open-source and cross-platform method for serializing structured information, is language neutral, free-of-charge, and can be used on any platform. This allows you to create programs for communicating across a network and data storage.
Zoom Whiteboard protocol buffers transmit
ClipboardItem objects via Websocket to the client. It transmits paste data to the server “as is”. This is where the researcher noticed an XSS especially in transferring HTML objects.
The client transformed the
prototypebuf object to the
React component. However, React automatically cleans HTML. But the researcher noticed that certain tags were still not being sanitized.
Lim displayed this flaw when he added a script on the Clipboard and pasted it. This triggered the XSS because the Clipboard had escaped sanitization.
Zoom Patched the Flaw
The researcher discovered the bug and reported it to Zoom on July 28th 2022. Zoom quickly responded to his request and issued a fix for the problem on August 21st 2022.
Zoom users should have the latest bug fixes as the patch was already released. It is better to make sure your Zoom devices have the most recent Zoom version.