Jitsi dev here. We are currently revisiting this. It exists because in cases such as when Jitsi Meet is being embdeed there are pre-join pages provided externally by the "host" site. We will be limiting how this can be used going forward.
qualeed · 8h ago
Is/will there be any discussion on how initial triage of potential security issues will be handled in the future?
It was disappointing to see the responses in the post. A curt "It's a feature" to a valid security concern & disclosure, and not replying to a request to publish.
Jitsi says "We encourage responsible disclosure for the sake of our users, so please reach out before posting in a public space.". But if no one bothers to reply, why bother to reach out to Jitsi in the first place?
https://jitsi.org/ says, literally in the hero image banner, "More secure" as the first thing you see. The handling of this raises some concerns about that. (If you don't want to be scrutinized as much about privacy & security stuff, I would recommend not advertising "more secure" as the first thing people see on the site)
saghul · 2h ago
You are right, we dropped the ball on this one. We'll try and do better.
arm32 · 2h ago
Instead of trying, just do. Just do better.
cornholio · 17h ago
This is clearly a major vulnerability and not a feature, it's a permissions/credentials hijack.
The user has given permission for audio and videos recording to the jitsi domain during a previous meeting, and the domain is using those permissions to start an unsolicited meeting initiated by a 3rd party, who is given access to the video and audio of the victim.
graemep · 10h ago
Its also much less likely to be an issue if you self host Jitsi. its only really a worry for large public servers.
dathinab · 13h ago
This attack/feature hinges on the
config.prejoinConfig.enabled=false
config (which implicitly decides weather or not a prejoin dialog is shown)
but this makes me wonder
1. why can you set that config in a URL? Allowing users to set it for them-self seems fine, but allowing rooms or URL to use it seems ... off.
2. how many other sites have this attack surface (e.g. MS Teams) just more obscure
3. actually the moment the attacker controls JS probably *all* other video conference systems have the feature, through potentially needing a lot of additional work. In which case maybe just being straightforward and open about it is fine? But the cost of such an attack is just a very bit too low compared to other conference systems.
Can someone describe the feature that this is used for? I struggle to think of any valid reason for automatic joining with audio/video like that.
jeroenhd · 14h ago
Matrix embedded Jitsi as their voice/video calling solution for a while, probably still does depending on what client you use. Automatically joining the call when you click the call button just makes sense from a UX perspective.
That said, I can't think of a reason why you'd want to permit it outside of very specific containers. Useful for integration, but outright bad design for a public instance.
ginking · 19h ago
I would say it's to reduce friction - only grant permission once, rather than every time you join a jitsi meeting.
morsch · 16h ago
It's not so much about the permissions (which is a browser issue) but about the config.prejoinConfig.enabled flag: usually when joining a meeting, you get an interstitial page which let's you check your webcam image and sound settings before hitting join to enter the call. This setting (passed as a request param) skips that screen.
I'm not a fan, either. I'm used to the interstitial page from other services, and in fact would not expect to join a call and stream data before hitting "join".
Jitsi is used in many custom solutions (which may have their own UI for getting user opt-in, like a customer hitting "Next step" in a registration wizard), I expect that's why they added it.
charcircuit · 13h ago
Even without that enabled. You now have to keep the domain registered forever else an attacker can register the domain start recording people from it since permissions do not reset when site ownership changes.
dathinab · 13h ago
oh yes, that is such a dump design of web permissions
alongside of the abysmal UX for listing/removing them (from a "normal" user POV it's somehwhat usable for someone who understands tech a bit more)
like in general IMHO origin separation over time (e.g. permissions, cache, local storage) should be bound to some public key cryptography schema where the public key is shipped alongside DNS and every time it changes (or disappears) it's treated as a new origin.
So basically HPKP but 1. one key per origin, 2. separate from the TLS key, 3. way less harmful if messed up so actually just fine to use without worry to permanently lock yourself out.
Also maybe 4. crypto likeable to a group of person/company identity public keys detached from TLS and not spoofable by government DNS/TLS takeover attacks. But in a way where this system is added on top instead of being a building block to make it hard for regulators to effectively shut it down. Like I which police all luck to find all the criminals but history non stop shows we can't rely on governments not going crazy and start prosecuting people for just being different without different meaning "actively" hurting other people or entrapping and then persecuting people for having different political (or religious) opinions or other similar nonsense.
dathinab · 13h ago
if it's embedded in another service and you already clicked join etc. through that other service to name one UX flow where an additional pre-join dialog would be not supper wanted
I e.g. would not complain if MS Teams (I have to use for work) would not put me into a pre join dialog every time I click join in Outlook but just joins me with mic muted/camera disabled by default. But then it also wouldn't be a security issue in my case as I put MS Teams and co. into it's own browser window/process/profile (not due to concerns but more as a side effect of them refusing to even trying to work on Firefox and not wanting to miss out on the tab sync + tab group + account container and not being allowed to install arbitrary extensions which add similar functionality to chrome).
3eb7988a1663 · 23h ago
Not that I use Jitsi, but I suddenly feel more embarrassed about my number of open tabs. Some other exploit could have silently been launched long ago.
capitainenemo · 11h ago
At least in Firefox, tabs recording have a pulsing red microphone on the favicon. I feel like you would have noticed, but perhaps you have so many that it is scrolled out of view?
kevin_thibedeau · 10h ago
Old tabs aren't reloaded in Firefox until you click on them. With the pace of updates, tab hoarders are mostly safe.
Maybe my Mac is set to be paranoid, but can you share video without being asked to give the mic and camera permission to operate? I chat with jitsi all the time and have to give jitsi explicit permission to use the mic/camera each time.
dathinab · 13h ago
> but can you share video without being asked to give the mic and camera permission to operate?
yes it's a browser setting to "remember mic/camera permission for given site"
to which extend this "remember" is there by default, can be disabled through system config/MDA etc. is probably very
lastly iff that is a default for Safari on Mac I wouldn't be surprised if that was not only placed their to protect your safety but to annoy you and push you to use Mac, it would fit into a sad list of similar things done by Apple to push people to go through their app store. But then more safe is still more better for many users.
dathinab · 7h ago
> is probably very [????]
... browser specific
not sure where that words disappeared, too
e40 · 17h ago
If you’re using jitsi already, won’t you have already given those permissions?
victorbjorklund · 15h ago
Probably 99% of people clicks "yes, always"
johnisgood · 6h ago
I click and tap "Only this time" on Android and in browsers.
firefax · 23h ago
Is this understood to be new? I think I got hit with this quite a long time ago.
(As in during the pandemic -- long ago in vuln times.)
I am willing to discuss it, off the record, if someone provides their signal information.
dathinab · 13h ago
yes, it's not new
it's probably also not just affecting Jitsi (in a context only looking at "proper" video conference systems)
through its exceedingly simple to archive with Jitsi
spaceport · 21h ago
Where do I pay to read security research writeups with only cats used in explainer images and examples? This exploit is cute.
o11c · 1d ago
Does this apply even for iframes, or not?
zimzi · 1d ago
Generally no - cross origin iframes don't allow camera/audio by default. Even if the toplevel site allows it (via https://developer.mozilla.org/en-US/docs/Web/API/HTMLIFrameE...), user still needs to grant permissions to toplevel site. Of course you can still use window.open and top.location.href in the iframe and use the same trick as in the article.
iforgotpassword · 6h ago
I mean, I get the idea that you want to skip the whole configure step for webcam/mic if it's embedded somewhere, but I still expect cam/mic to be muted on join. Isn't that what most conferencing tools do, no matter whether you get a config dialog after clicking the join link...
It was disappointing to see the responses in the post. A curt "It's a feature" to a valid security concern & disclosure, and not replying to a request to publish.
Jitsi says "We encourage responsible disclosure for the sake of our users, so please reach out before posting in a public space.". But if no one bothers to reply, why bother to reach out to Jitsi in the first place?
https://jitsi.org/ says, literally in the hero image banner, "More secure" as the first thing you see. The handling of this raises some concerns about that. (If you don't want to be scrutinized as much about privacy & security stuff, I would recommend not advertising "more secure" as the first thing people see on the site)
The user has given permission for audio and videos recording to the jitsi domain during a previous meeting, and the domain is using those permissions to start an unsolicited meeting initiated by a 3rd party, who is given access to the video and audio of the victim.
config.prejoinConfig.enabled=false
config (which implicitly decides weather or not a prejoin dialog is shown)
but this makes me wonder
1. why can you set that config in a URL? Allowing users to set it for them-self seems fine, but allowing rooms or URL to use it seems ... off.
2. how many other sites have this attack surface (e.g. MS Teams) just more obscure
3. actually the moment the attacker controls JS probably *all* other video conference systems have the feature, through potentially needing a lot of additional work. In which case maybe just being straightforward and open about it is fine? But the cost of such an attack is just a very bit too low compared to other conference systems.
That said, I can't think of a reason why you'd want to permit it outside of very specific containers. Useful for integration, but outright bad design for a public instance.
I'm not a fan, either. I'm used to the interstitial page from other services, and in fact would not expect to join a call and stream data before hitting "join".
Jitsi is used in many custom solutions (which may have their own UI for getting user opt-in, like a customer hitting "Next step" in a registration wizard), I expect that's why they added it.
alongside of the abysmal UX for listing/removing them (from a "normal" user POV it's somehwhat usable for someone who understands tech a bit more)
like in general IMHO origin separation over time (e.g. permissions, cache, local storage) should be bound to some public key cryptography schema where the public key is shipped alongside DNS and every time it changes (or disappears) it's treated as a new origin.
So basically HPKP but 1. one key per origin, 2. separate from the TLS key, 3. way less harmful if messed up so actually just fine to use without worry to permanently lock yourself out.
Also maybe 4. crypto likeable to a group of person/company identity public keys detached from TLS and not spoofable by government DNS/TLS takeover attacks. But in a way where this system is added on top instead of being a building block to make it hard for regulators to effectively shut it down. Like I which police all luck to find all the criminals but history non stop shows we can't rely on governments not going crazy and start prosecuting people for just being different without different meaning "actively" hurting other people or entrapping and then persecuting people for having different political (or religious) opinions or other similar nonsense.
I e.g. would not complain if MS Teams (I have to use for work) would not put me into a pre join dialog every time I click join in Outlook but just joins me with mic muted/camera disabled by default. But then it also wouldn't be a security issue in my case as I put MS Teams and co. into it's own browser window/process/profile (not due to concerns but more as a side effect of them refusing to even trying to work on Firefox and not wanting to miss out on the tab sync + tab group + account container and not being allowed to install arbitrary extensions which add similar functionality to chrome).
yes it's a browser setting to "remember mic/camera permission for given site"
to which extend this "remember" is there by default, can be disabled through system config/MDA etc. is probably very
lastly iff that is a default for Safari on Mac I wouldn't be surprised if that was not only placed their to protect your safety but to annoy you and push you to use Mac, it would fit into a sad list of similar things done by Apple to push people to go through their app store. But then more safe is still more better for many users.
... browser specific
not sure where that words disappeared, too
(As in during the pandemic -- long ago in vuln times.)
I am willing to discuss it, off the record, if someone provides their signal information.
it's probably also not just affecting Jitsi (in a context only looking at "proper" video conference systems)
through its exceedingly simple to archive with Jitsi