![]() You will be governed by the privacy rules and regulations of the host server service provider when using this client app. ![]() We do not ask or collect any personally identifiable information directly or indirectly as a condition for using this app. Chat with other users during the meeting.Lock-protected rooms: Control the access to your conferences with a password.Rejoin previous meetings by browsing the meeting history.Join meetings easily using the meeting code.Create meetings and share the meeting code directly from the app.There are no artificial restrictions on the number of users or conference participants.Jitsi promises better quality and lower latency. Meet Guru uses the free and open-source Jitsi Server in the backend to process and encrypt all the communication between users. Instant video conferences, efficiently adapting to your scale. Meet Guru is a free video conferencing and video meeting app that lets you stay in touch with all your teams, be they family, friends, or colleagues. How To: Install Jitsi Server Crosstalk Solutions 332K subscribers 127K views 2 years ago This video is a complete walkthrough of how to install and properly secure a hosted Jitsi video. Useful for conferencing, meetings and class room studies online from home. July 2, 2020: Version 2.3.Free video conferencing & meeting app that allows you to communicate anywhere.June 28, 2020: Vulnerability discovered and reported to June 30, 2020: Developers implement fix in commit ca1eb702507fdc4400fe21c905a9f85702f92a14.The fix was released in version 2.3.0 on July 2, 2020. Props to the Jitsi developers who implemented a fix just a few days later, on June 30, 2020, by filtering the URLs that may be passed to shell.openExternal() to only allow HTTP(S) URLs (see the fix commit). I confirmed that it worked using the latest release of the app at that time, version 2.2.0. I reported the vulnerability to the developers on June 28, 2020. As there were no uses of the exposed function in the code, I included a recommendation to remove it in my report. However, if an attacker somehow managed to achieve XSS in the renderer process, they could use this to escalate it into RCE. This was not a critical problem as the remote site is only loaded in an and thus doesn’t have access to the app’s window object. An attacker could use a link like this to lead a user to use their server without having to set the server URL in the app preferences.Īdditionally, the app exposed the shell.openExternal() function on the window object which could be accessed from the renderer process as context isolation is disabled. The attack surface was further extended by the recent introduction of a protocol handler that allows linking to rooms on external servers (using jitsi-meet:///dangerous-room). Below is a video demonstrating the exploit: desktop file on a remote server allowed for RCE on Xubuntu 20.04, as described in the other post. However, all the other protocols could still be used as discussed. In the case of this app, the attack surface was somewhat limited insofar as the external server is loaded through an and opening file: URLs was thus blocked. I have already written another blog post that goes into the details of the security problems with shell.openExternal(). As such, it is possible for an attacker to inject a malicious call to window.open() into the pages of their Jitsi Meet instance that will then allow them to pass arbitrary URLs to shell.openExternal() when a user uses their server with the app. These popup targets are however only used to handle windows that should always stay on top (see here) and are thus not a security check.Īs mentioned before, the app can be used with third-party servers. ![]() This hooks the creation of new windows to instead pass the URL to shell.openExternal() unless a popup target other than browser is registered for the URL and frame name of the new window. on ( 'new-window', ( event, url, frameName ) => ) ![]()
0 Comments
Leave a Reply. |