Video conferencing platform fixes cross-site scripting vulnerability
The XSS bug in Zoom Whiteboard was discovered by security researcher Eugene Lim (also known as ‘spaceraccoon’). Lim focuses on the overlap between web, mobile, desktop, and other platforms, which is how he became interested in investigating Zoom Whiteboard.
Whiteboard supports several types of objects, including text, shapes, rich text, images, and sticky notes.
To store and transfer objects, it uses Protocol Buffer (protobuf), a language- and platform-neutral markup standard for serializing structured data. It uses WebSocket to broadcast protobuf objects across all clients and provide real-time updates on the whiteboard.
Once received, the client transforms the protobuf object into its corresponding React component and inserts it into the user interface.
React automatically sanitizes all HTML attributes contained in the whiteboard objects. However, a few of the objects allow some HTML tags. For some objects, the developers used custom regex functions to sanitize user input and remove disallowed tags.
Weaponizing the clipboard
Exploiting the bug would require a complicated effort by the attacker.
“WebSocket messages are sent in the protobuf format. This makes it tricky to write a proof-of-concept that’s easy for triagers to reproduce because they need to intercept the WebSocket request as well as modify the protobuf message correctly before the request is dropped,” Lim told The Daily Swig.
To overcome this challenge, he developed an end-to-end proof of concept script that used the clipboard to create and deliver the XSS payload.
The challenges of hybrid applications
“From WebRTC (video calling) to WebGL (2D/3D graphics), there’s a lot more you can do in a browser nowadays than simply pop an alert. This increases the attack surface and potential for bypasses,” he said.
And second is the growing overlap between web and native/desktop applications.
Check your third-party dependencies
Finally, Lim warned about flaws in third-party dependencies.
“Code scanning tools did not pick up the actual [Zoom] vulnerability because the user input flowed through a third-party dependency,” he said.
Typically, code scans in CI/CD pipelines do not install third-party dependencies and run only on the project source code.
“The takeaway here is to be very aware of the third-party components you are using and how you are using them,” Lim said. “Additionally, regexes are very tricky to do yourself so it may be better to rely on libraries like DOMPurify.”