An attacker discovered a serious cross-site scripting vulnerability (XSS), in Zoom Whiteboard’s app. Zoom fixed the issue quickly to prevent any malicious exploit.
Zoom Whiteboard vulnerability
Eugene Lim (aka Spaceraccoon) shared the details of a and discussed a vulnerability for cross-site scripting in Zoom Whiteboard.
Zoom Whiteboard, a new feature and Zoom version 5.10.3, is an interactive platform that allows users to create visuals, such as sketches, hand-drawn, or animated presentations. The platform can support different objects such as shapes, text, rich text and images. JavaScript is used to create this near-real time communication capability. This feature is available in both the native and web.
The researcher identified the Protocol Buffer ( prototypebuf
) in the client-side code that triggers XSS while scanning it. Protocol Buffer, an open-source and cross-platform method for serializing structured information, is language neutral, free-of-charge, and can be used on any platform. This allows you to create programs for communicating across a network and data storage.
Zoom Whiteboard protocol buffers transmit ClipboardItem
objects via Websocket to the client. It transmits paste data to the server “as is”. This is where the researcher noticed an XSS especially in transferring HTML objects.
The client transformed the prototypebuf
object to the React
component. However, React automatically cleans HTML. But the researcher noticed that certain tags were still not being sanitized.
Lim displayed this flaw when he added a script on the Clipboard and pasted it. This triggered the XSS because the Clipboard had escaped sanitization.
Zoom Patched the Flaw
The researcher discovered the bug and reported it to Zoom on July 28th 2022. Zoom quickly responded to his request and issued a fix for the problem on August 21st 2022.
Zoom users should have the latest bug fixes as the patch was already released. It is better to make sure your Zoom devices have the most recent Zoom version.