Security vulnerabilities

  • Status Closed
  • Assigned To No-one
  • Private
Attached to Project: Security vulnerabilities
Opened by weshi - 18.01.2024
Last edited by cbay - 18.01.2024

FS#16 - Unauthenticated-Video conferencing on ""

Description: while Enumerating subdomains of,
I Found a subdomain open hosting video conferencing for all.

Steps to reproduce: 1.visit the site :""
2.create a video conferencing :"malicious.conferencing"
3.Now anyone can join the video call with the link provided by the attacker.

This could lead to potential damage to the Alwaysdata if the attacker intends to exploit this in a malicious way.
as this is open for any users on the web.

Impact: 1.Unauthorized Access:

Vulnerability: If the video conferencing system is not properly secured, it may be susceptible to unauthorized access.
Impact: Unauthorized individuals could join sensitive meetings, leading to the potential exposure of confidential information.

2.Phishing Attacks:
Vulnerability: Attackers may exploit the subdomain for phishing attacks, tricking users into providing sensitive information.
Impact: This could lead to the compromise of user credentials or the installation of malware on participants' devices.
3.Data Storage Security:

Vulnerability: Inadequate security measures for storing recorded video conference sessions.
Impact: Stored data may be at risk of unauthorized access, leading to the exposure of sensitive information.


Mitigation: To mitigate these risks, Alwaysdata should implement strong authentication, encrypt communication channels.

Closed by  cbay
18.01.2024 09:18
Reason for closing:  Invalid
cbay commented on 18.01.2024 09:17


That Jitsi was setup during the COVID-19 pandemic in order to help people that needed video conferencing. When the lockdowns started, most video conferencing apps were overloaded so any help was worth doing.

So it was public on purpose. That's not a vulnerability at all, and many similar websites do exist that let you create conferences (e.g. Jitsi Meet).

However, that Jitsi has now long been unused, so we've just removed it.

Kind regards,

weshi commented on 18.01.2024 09:22

Greetings Cbay,

thanks for your response,

but this could have been exploited by any potential attackers.Leveraging the Company's reputation as there were no authentication between the calls anyone could create or join a existing meet.

if possible could i get any swag or bounty.>

Thank you,

cbay commented on 18.01.2024 09:30

There was no authentication on purpose, to have a very simple solution for non tech-savvy users. You can read more on why Jitsi Meet made that choice, for instance.

Again, that's not a vulnerability.


Available keyboard shortcuts


Task Details

Task Editing