Skip to content

[SECURITY] Jitsi Meet Room IDs are predictable  #14836

Closed
Closed
[SECURITY] Jitsi Meet Room IDs are predictable #14836
Labels
staleStale issues will be automatically closed if no activity
@qchn

Description

@qchn
qchn
opened on Jun 19, 2019

Description:

RocketChat generates Jitsi Room IDs which are predictable instead of randomized room id's.

Expected behavior:

RocketChat should generate Jitsi Room IDs with randomness

Actual behavior:

When a jitsi call is initiated from within RocketChat a jitsi room id is generated.
There are two types of rooms:

channels/groups chats which generate a id with the following format:
direct (person to person) chats which have the following format:
The Id's are generated by Redis (17characters long). The Id's do not change and always stay the same for the same room or person.

There exists one special channel/group with the id GENERAL.
Here are some example id's, the Id's for direct chats seem to be sorted lexicographically (A-Z then a-z):

RocketChatdWmoPHTrjMXGxHWmGENERAL
RocketChatdWmoPHTrjMXGxHWm6zL6g95HRX3cSr8Ae
RocketChatdWmoPHTrjMXGxHWmGgzAzuQHjiNKRqTYS
RocketChatdWmoPHTrjMXGxHWmPQF6rfxDN4Bqdz7xd
RocketChatdWmoPHTrjMXGxHWmYRquRg3SkQhigWms3
RocketChatdWmoPHTrjMXGxHWuBqfLXvrypxtktizL9bkDv5ZX4CmfYkr2yQ
RocketChatdWmoPHTrjMXGxHWmE7TviSYCxastoNSjHbkDv5ZX4CmfYkr2yQ
RocketChatdWmoPHTrjMXGxHWmXhkpQNjhpYzRnsbtMbkDv5ZX4CmfYkr2yQ
RocketChatdWmoPHTrjMXGxHWmbkDv5ZX4CmfYkr2yQtovhDJ7crLSwpCxKJ

Server Setup Information:

  • Version of Rocket.Chat Server: 0.74.3 / 1.1.2
  • Operating System: Debian Jessie
  • Deployment Method: tar
  • Number of Running Instances: 8
  • MongoDB Version: 3.4.18

Additional context

Threat:
Attackers can join calls once they learned the id's.
The RocketChat instance id as well as the id of your own user can be learned by initiating a call with yourself.
To learn the id of other users a call to them can be initiated. There possibly exist other ways to learn the ids.
To learn the channel id attackers need to be part of them at least once.

An attacker can easily join all person to person meetings this way and try to gain information.
Users can detect this easily by looking at the participants of the meeting.
Alternatively attackers could execute a DoS attack by setting a password to the channels.
Users can simply choose another room id.

Metadata

Metadata

Assignees

No one assigned

    Labels

    staleStale issues will be automatically closed if no activity

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions