CVE-2024-33530: Jitsi Meet Flaw Leaks Meeting Passwords, Exposing Calls to Intruders

Security researcher Florian Port at Insinuator recently uncovered a critical flaw in Jitsi Meet, the popular open-source video conferencing platform. The vulnerability (CVE-2024-33530) allows unauthorized individuals to gain the meeting password, potentially bypassing security and joining private conferences.

Overview of the Vulnerability

Jitsi Meet, recognized for its user-friendly interface and strong security measures, offers two layers of security to its meeting moderators: password protection and lobby mode. However, a newly identified flaw in the system’s architecture leads to unintended password disclosures under certain conditions.

The CVE-2024-33530 vulnerability arises when a user, initially placed in a lobby due to the meeting’s settings, is invited into the main conference room. As part of the process managed by the Extensible Messaging and Presence Protocol (XMPP), the server inadvertently sends the meeting’s password directly to the invitee via an XMPP message over web sockets. This message not only confirms the user’s access but also exposes the sensitive password, contravening standard security practices.

Technical Insight

Jitsi utilizes XMPP, a protocol primarily designed for real-time communication and instant messaging over the Internet. In Jitsi’s context, XMPP orchestrates the functionalities of multi-user chats (MUC), which include the implementation of password-protected rooms. Although XMPP’s standards typically require both a password and member status to access protected meetings, Jitsi’s implementation deviates by automatically granting member status upon password entry. This deviation leads to the potential for unauthorized password sharing among users without moderation rights, escalating the risk of uncontrolled access to private meetings.

Proof of Concept

The vulnerability was demonstrated through a Proof of Concept (PoC), where the XMPP message relayed to the invitee contained the meeting’s password. This exposure occurs within the protocol’s compliance for mediated invites but falls short in preserving the confidentiality expected in secure meetings.

Origins and Impact

Researcher Port discovered this vulnerability during a client project. Further investigation shows it has existed since the very first version of Jitsi that supported lobbies (version 1.0.4289, released in July 2020). The flaw affected all subsequent versions up to 2.0.9364. Thankfully, a patch was released in Jitsi version 2.0.9457 on April 23, 2024.

Actions to Take

If you use Jitsi Meet, especially for sensitive discussions:

1. Update Immediately: Upgrade to version 2.0.9457 or later to fix the password leak issue.

2. Rethink Lobby Usage: Carefully consider if the lobby feature is strictly necessary, especially if you primarily rely on meeting passwords for security.

3. Strong Passwords Remain Vital: Even with the patch, use complex, unique passwords for your Jitsi meetings. Avoid reusing passwords or sharing them via insecure channels.