Since COVID-19 poses a grave danger to the world due to the high rates of spreading and the virus continuing to affect different geographical locations X41 teamed up with other security companies in April to help projects that aim to lessen the impact of the pandemic with a security test.
Of the many applicants, the Hopp Foundation was selected as project to be tested by X41. The Hopp foundation provides services to schools to ease the burden of home schooling. Among these services and infrastructure are Jitsi Meet servers, which can be used for home schooling. Since this infrastructure is mostly run by volunteers and uses open source technology it fits our selection criteria perfectly.
X41 identified several security issues, some of them in the upstream Jitsi code. Among them is a XSS vulnerability that affects Jitsi installations using Shibboleth which has already been fixed upstream.
Another one is a command injection in the jipopro code, but we are being told that this code is discontinued and should not be used anywhere.
We want to thank all persons helping out in this test, especially Stefan Stahl who is volunteering at the Hopp foundation and was our main point of contact.
X41 D-Sec GmbH is an expert provider of application security services. With extensive experience and expertise in the information security industry and a strong core security team of world-class experts, X41 can provide premium security services. Their fields of expertise in the area of application security are security-centered code reviews, binary reverse engineering, and vulnerability discovery. Custom research and IT security consulting and support services are the core competencies of X41.