![]() All of these settings are of course configurable but they all came with the default password of passw0rd. In the case of the recorder user, this user is available on the special domain. jigasi for Jigasi, which is a SIP gateway for audio calls.Īll users, except for the recorder, are available on the auth domain, which is.Essentially, a headless chrome for recording and streaming purposes very interesting from a security perspective but we leave that for another time. jibri for Jibri, which is the broadcasting infrastructure.jvb for JVB, which stands for Jitsi Videobridge, the video router.focus for Jicofo, which stands for JItsi COnference FOcus, which manages media sessions between each of the participants and the videobridge.Specifically, the following users are created by default: During setup of the docker images, various internal XMPP accounts are created automatically, allowing the different components of Jitsi Meet to communicate over the XMPP server. Jitsi Meet uses Prosody for the signalling part of the video conferencing solution. Well, actually it is a bit of a big deal. ![]() Since many Jitsi Meet servers actually allow you to setup a video conference for free, without credentials (uses anonymous authentication), the dear reader must be thinking, big deal right? How bad is it? So, basically, these default passwords could be used to login at the XMPP server used by Jitsi Meet, called Prosody. Then Hanno Böck released a script to check for this vulnerability, together with an article (in German) about the vulnerability. Please update and use the provided script (instructions on the README) to generate a strong password for each system account. Previous releases included default passwords for system accounts, and users who didn’t change them are at risk of getting the authentication system circumvented by an attacker using a system account with the default password. The security update’s ChangeLog explained that: He recommended that people using the docker image for Jitsi meet set secure passwords. Background storyĪ few days ago we noticed a tweet by mentioning something that sounded familiar, Jitsi. ![]() We also provide instructions on how to check for this issue if you administer a Jitsi Meet server. Jitsi Meet on Docker contained default passwords for important users, which could be abused to run administrative XMPP commands, including shutting down the server, changing the administrative password and loading Prosody modules.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |