Video conferencing platform fixes cross-site scripting vulnerability
Zoom has patched a cross-site scripting (XSS) bug that worked in both the desktop and web versions of its Whiteboard app.
Zoom Whiteboard allows users to collaborate in real-time on a shared canvas by adding and editing different objects. Whiteboard runs JavaScript code both in the browser and the desktop app.
Escaping sanitization
The XSS bug in Zoom Whiteboard was discovered by security researcher Eugene Lim (also known as ‘spaceraccoon’). Lim focuses on the overlap between web, mobile, desktop, and other platforms, which is how he became interested in investigating Zoom Whiteboard.
Whiteboard supports several types of objects, including text, shapes, rich text, images, and sticky notes.
To store and transfer objects, it uses Protocol Buffer (protobuf), a language- and platform-neutral markup standard for serializing structured data. It uses WebSocket to broadcast protobuf objects across all clients and provide real-time updates on the whiteboard.
Read more of the latest news about web security vulnerabilities
Once received, the client transforms the protobuf object into its corresponding React component and inserts it into the user interface.
React automatically sanitizes all HTML attributes contained in the whiteboard objects. However, a few of the objects allow some HTML tags. For some objects, the developers used custom regex functions to sanitize user input and remove disallowed tags.
Lim discovered that with a well-crafted HTML string, he could bypass the sanitization check and send arbitrary JavaScript code to all other clients and stage an XSS attack.
Weaponizing the clipboard
Exploiting the bug would require a complicated effort by the attacker.
“WebSocket messages are sent in the protobuf format. This makes it tricky to write a proof-of-concept that’s easy for triagers to reproduce because they need to intercept the WebSocket request as well as modify the protobuf message correctly before the request is dropped,” Lim told The Daily Swig.
To overcome this challenge, he developed an end-to-end proof of concept script that used the clipboard to create and deliver the XSS payload.
The challenges of hybrid applications
Lim believes there are two factors that make it difficult to find and plug such bugs. First is the breadth and depth of JavaScript web APIs that support additional features.
“From WebRTC (video calling) to WebGL (2D/3D graphics), there’s a lot more you can do in a browser nowadays than simply pop an alert. This increases the attack surface and potential for bypasses,” he said.
And second is the growing overlap between web and native/desktop applications.
“Developers need to secure their apps across multiple platforms, which increases the complexity as JavaScript in React on Safari might work slightly differently than React Native with Hermes on Android,” Lim said.
Check your third-party dependencies
Finally, Lim warned about flaws in third-party dependencies.
“Code scanning tools did not pick up the actual [Zoom] vulnerability because the user input flowed through a third-party dependency,” he said.
Typically, code scans in CI/CD pipelines do not install third-party dependencies and run only on the project source code.
“The takeaway here is to be very aware of the third-party components you are using and how you are using them,” Lim said. “Additionally, regexes are very tricky to do yourself so it may be better to rely on libraries like DOMPurify.”
