Connect with us

Hi, what are you looking for?

Hard News Hard Hitting News Source Global Political News

Cyber Security

Zoom Whiteboard patches XSS bug

Zoom has patched a cross-site scripting (XSS) bug that worked in both the desktop and web versions of its Whiteboard app.

Zoom Whiteboard allows users to collaborate in real-time on a shared canvas by adding and editing different objects. Whiteboard runs JavaScript code both in the browser and the desktop app.

Escaping sanitization

The XSS bug in Zoom Whiteboard was discovered by security researcher Eugene Lim (also known as ‘spaceraccoon’). Lim focuses on the overlap between web, mobile, desktop, and other platforms, which is how he became interested in investigating Zoom Whiteboard.

Whiteboard supports several types of objects, including text, shapes, rich text, images, and sticky notes.

To store and transfer objects, it uses Protocol Buffer (protobuf), a language- and platform-neutral markup standard for serializing structured data. It uses WebSocket to broadcast protobuf objects across all clients and provide real-time updates on the whiteboard.

Once received, the client transforms the protobuf object into its corresponding React component and inserts it into the user interface.

React automatically sanitizes all HTML attributes contained in the whiteboard objects. However, a few of the objects allow some HTML tags. For some objects, the developers used custom regex functions to sanitize user input and remove disallowed tags.

Lim discovered that with a well-crafted HTML string, he could bypass the sanitization check and send arbitrary JavaScript code to all other clients and stage an XSS attack.

Weaponizing the clipboard

Exploiting the bug would require a complicated effort by the attacker.

“WebSocket messages are sent in the protobuf format. This makes it tricky to write a proof-of-concept that’s easy for triagers to reproduce because they need to intercept the WebSocket request as well as modify the protobuf message correctly before the request is dropped,” Lim told The Daily Swig.

To overcome this challenge, he developed an end-to-end proof of concept script that used the clipboard to create and deliver the XSS payload.

The challenges of hybrid applications

Lim believes there are two factors that make it difficult to find and plug such bugs. First is the breadth and depth of JavaScript web APIs that support additional features.

“From WebRTC (video calling) to WebGL (2D/3D graphics), there’s a lot more you can do in a browser nowadays than simply pop an alert. This increases the attack surface and potential for bypasses,” he said.

And second is the growing overlap between web and native/desktop applications.

“Developers need to secure their apps across multiple platforms, which increases the complexity as JavaScript in React on Safari might work slightly differently than React Native with Hermes on Android,” Lim said.

Advertisement. Scroll to continue reading.

Check your third-party dependencies

Finally, Lim warned about flaws in third-party dependencies.

“Code scanning tools did not pick up the actual [Zoom] vulnerability because the user input flowed through a third-party dependency,” he said.

Typically, code scans in CI/CD pipelines do not install third-party dependencies and run only on the project source code.

“The takeaway here is to be very aware of the third-party components you are using and how you are using them,” Lim said. “Additionally, regexes are very tricky to do yourself so it may be better to rely on libraries like DOMPurify.”

Copyright 2021 Associated Press. All rights reserved.

Source: https://portswigger.net/daily-swig/zoom-whiteboard-patches-xss-bug

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like

Cyber Security

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has given federal agencies three weeks to secure Adobe ColdFusion servers on their networks against two...

Cyber Security

Businesses and developers are focusing more on the security of applications in their digital environment as cyber threats and data breaches continue escalating. The...

Cyber Security

HCL BigFix is an endpoint management platform that has the capability to automate discovery, management, and remediation. It can find and fix vulnerabilities on...

Cyber Security

The Environmental Protection Agency cited a lack of resources and the sheer volume of critical vulnerabilities as the reasons for its inability to patch...

Copyright © 2023 Hard News Herd Hitting in Your Face News Source | World News | Breaking News | US News | Political News Website by Top Search SEO