FS#16 : Unauthenticated-Video conferencing on "https://jitsi.alwaysdata.com"

Status Closed
Assigned To No-one
Private

Attached to Project: Security vulnerabilities
Opened by weshi - 18.01.2024
Last edited by cbay - 18.01.2024

FS#16 - Unauthenticated-Video conferencing on "https://jitsi.alwaysdata.com"

Description: while Enumerating subdomains of Alwaysdata.com,
I Found a subdomain open hosting video conferencing for all.

Steps to reproduce: 1.visit the site :"https://jitsi.alwaysdata.com/"
2.create a video conferencing :"malicious.conferencing"
3.Now anyone can join the video call with the link provided by the attacker.

This could lead to potential damage to the Alwaysdata if the attacker intends to exploit this in a malicious way.
as this is open for any users on the web.

Impact: 1.Unauthorized Access:

Vulnerability: If the video conferencing system is not properly secured, it may be susceptible to unauthorized access.
Impact: Unauthorized individuals could join sensitive meetings, leading to the potential exposure of confidential information.

2.Phishing Attacks:
Vulnerability: Attackers may exploit the subdomain for phishing attacks, tricking users into providing sensitive information.
Impact: This could lead to the compromise of user credentials or the installation of malware on participants' devices.
3.Data Storage Security:

Vulnerability: Inadequate security measures for storing recorded video conference sessions.
Impact: Stored data may be at risk of unauthorized access, leading to the exposure of sensitive information.

POC:
https://drive.google.com/file/d/17NnRxFnzj7gZFsLXNEzt28b4jYjW7c-d/view?usp=sharing

Mitigation: To mitigate these risks, Alwaysdata should implement strong authentication, encrypt communication channels.

Closed by cbay
18.01.2024 09:18
Reason for closing: Invalid

Comments (3)
Related Tasks (0/0)

cbay commented on 18.01.2024 09:17

Hello,

That Jitsi was setup during the COVID-19 pandemic in order to help people that needed video conferencing. When the lockdowns started, most video conferencing apps were overloaded so any help was worth doing.

So it was public on purpose. That's not a vulnerability at all, and many similar websites do exist that let you create conferences (e.g. Jitsi Meet).

However, that Jitsi has now long been unused, so we've just removed it.

Kind regards,
Cyril

weshi commented on 18.01.2024 09:22

Greetings Cbay,

thanks for your response,

but this could have been exploited by any potential attackers.Leveraging the Company's reputation as there were no authentication between the calls anyone could create or join a existing meet.

if possible could i get any swag or bounty.>

Thank you,
W3shi

cbay commented on 18.01.2024 09:30

There was no authentication on purpose, to have a very simple solution for non tech-savvy users. You can read more on why Jitsi Meet made that choice, for instance.

Again, that's not a vulnerability.

	Tasks related to this task (0)

Loading...

Keyboard shortcuts

Available keyboard shortcuts

Alt + ⇧ Shift + l Login Dialog / Logout
Alt + ⇧ Shift + a Add new task
Alt + ⇧ Shift + m My searches
Alt + ⇧ Shift + t focus taskid search

Tasklist

o open selected task
j move cursor down
k move cursor up

Task Details

n Next task
p Previous task
Alt + ⇧ Shift + e ↵ Enter Edit this task
Alt + ⇧ Shift + w watch task
Alt + ⇧ Shift + y Close Task

Task Editing

Alt + ⇧ Shift + s save task