CVE CyberSecurity Database News

CVE-2022-36928 - How a Simple Path Traversal Flaw in Zoom for Android Exposed Your Data

Poster -

If you use Zoom on your Android phone, you probably expect your files, settings, and even chat histories to stay secure inside the app. Sadly, a critical flaw with the code name CVE-2022-36928 put that trust at risk if you didn’t update your Zoom app after late 2022. This vulnerability allowed any app on your phone to poke around inside Zoom’s private directory—something Android explicitly forbids, and for good reason.

In this post, I’ll break down what this bug was, how it worked, and why it was a big deal. I’ll also show you a code snippet to help you understand just how simple this kind of vulnerability can be—and how a crafty developer could exploit it.

What is CVE-2022-36928?

This is an Android path traversal vulnerability that existed in Zoom for Android clients before version 5.13.. Essentially, this flaw let another app on your device read from and write into Zoom’s private app data directory.

Android is built to protect one app’s data from all others unless special permissions are granted. This vulnerability flattened that privacy wall. Here’s the NIST entry for the bug.

How Did This Happen?

The root cause was improper validation of file paths. The Zoom app would accept file names, including those submitted by outside processes (like intents from other apps), without carefully checking whether those file paths pointed outside Zoom’s intended storage area.

A rogue app could simply craft a file name like ../../../../data/data/us.zoom.videomeetings/shared_prefs/zoom_us.xml, tricking Zoom into reading from or writing to internal Zoom files.  

This is a classic "directory traversal" or "path traversal" bug—an issue that’s plagued software forever.

Example: Code Snippet Showing the Vulnerability

Here’s a simple example in Java that shows the kind of mistake made by Zoom’s Android app (simplified for clarity):

// Suppose this code snippet handles files for Zoom

public void saveFile(Context context, String fileName, byte[] data) throws IOException {
    // BAD: Doesn't validate fileName for traversal sequences!
    File dir = context.getFilesDir();
    File file = new File(dir, fileName);  // fileName can be "../../../../etc/passwd"
    FileOutputStream fos = new FileOutputStream(file);
    fos.write(data);
    fos.close();
}

An attacker could send a fileName like "../../../../data/data/us.zoom.videomeetings/shared_prefs/zoom_us.xml", escaping Zoom’s data directory and accessing protected files.

A secure version would block names containing .. or path separator slashes /

if (fileName.contains("..") || fileName.contains("/")) {
    throw new SecurityException("Invalid file name!");
}

But the vulnerable Zoom version did not enforce these checks.

What Could an Attacker Do?

1. A Malicious App: An attacker writes a third-party Android app and gets a user to install it (no root needed!).
2. Craft Exploit Path: The app sends a request or intent to Zoom containing a crafted filename (with ../ sequences).
3. Zoom Reads/Writes: Zoom, trusting this filename, reads from or writes to a file it never should.

Steal data, like Zoom’s config files, token files, saved chats, or user info.

- Poison data: Write into Zoom’s files, potentially breaking the app or performing a local denial-of-service.

Here’s a potential demonstration technique (in pseudocode)

// Pseudocode for a malicious Android app
Intent zoomIntent = new Intent();
zoomIntent.setComponent(new ComponentName(
    "us.zoom.videomeetings",
    "us.zoom.videomeetings.SomeFileHandlerActivity"
));
zoomIntent.putExtra("fileName", "../../../../data/data/us.zoom.videomeetings/shared_prefs/zoom_us.xml");
context.startActivity(zoomIntent);

// If Zoom's handler uses the input directly, attacker now has access


*Note:* The actual exploit depends on which Zoom activities or services accepted arbitrary file names—a real exploit would require mapping those out.

Official References

- NIST National Vulnerability Database: CVE-2022-36928
- Zoom Security Bulletin - December 2022
- Zoom Changelog for v5.13.

How Was It Fixed?

After being notified, Zoom plugged the hole in version 5.13. (December 2022) by filtering out path traversal characters and tightening file path checks. Everyone is strongly urged to update their Zoom app to at least this version (or newer).

Conclusion

Path traversal bugs like CVE-2022-36928 seem basic, but they can have massive consequences. Always keep your apps updated. App developers: never pass user/file input straight into sensitive file operations—sanitize everything, regardless of where the input comes from.

Remember: if you’re not watching your dependencies, someone else might be!


Stay safe and patched!  
If you want to dig deeper, check the original CVE advisory and stay up to date with Zoom’s official security advisories.

Timeline

Published on: 01/09/2023 19:15:00 UTC
Last modified on: 01/13/2023 19:13:00 UTC