Bug bounty bout report 0x01 - WebRTC edition
Last updated: Jun 16, 2020
Read the full report here.
In April 2020, in between SIPVicious PRO development and pentesting VoIP and WebRTC, we dedicated some days to bug bounties and vulnerability disclosure programs to see what comes out of it. Our focus was on those that have WebRTC infrastructure in scope. In the end, we reported 3 vulnerabilities to 4 different vendors, for 6 different products. So finally, after making sure that the affected vendors have addressed these security issues and have agreed with publication, we are putting out a compiled report!
Each finding gives background information about the actual vulnerability, assessing its impact and instructions on how to reproduce the vulnerability. Additionally, we included our recommendations on how the vulnerability could be addressed and a timeline showing our bug reporting and re-testing process. The report structure is based on our normal pentest reports and so it includes additional sections found in our template.
The vulnerabilities that we reported were the following:
- Open TURN relay abuse affects multiple vendors and products due to lack of peer access control
- Outdated Coturn is vulnerable to known security issues
- Default XMPP administrative accounts leading to DoS and potentially, spying on video calls, RCE
Some of the individual reports have been made public or mentioned at the following locations:
- Hackerone: 8x8 Open TURN relay abuse
- Hackerone: 8x8 Outdated Coturn known vulnerabilities
- Simwood blog: Jitsi Meet on Docker
The conclusion from the compiled report sums it up:
A number of tests were done on the target WebRTC infrastructures that were in our scope. Almost each vendor in scope had their own custom infrastructure and applications, therefore requiring dedicated research while taking a targeted approach. During the time allocated for this bounty bout, we realized that such effort was better spent focusing on known vulnerabilities. The TURN open relay vulnerability was, in fact, found to be wide spread enough to affect 3 of the vendors in our scope. This is possibly due the common requirement of having a TURN server for various types of WebRTC deployments. In the case of the Jitsi Meet for Docker default password, only one vendor was found to be vulnerable but we suspect that outside the scope of bug bounties and vulnerability disclosure programs, various other vendors may be affected.
Enable Security would like to thank all the bug bounty programs and vendors involved for their positive reception and for handling our reports in a professional and timely manner. In this report, the open TURN relay finding is stated as one generic finding since two of the affected vendors asked us to redact or anonymize the information. The outdated coTURN finding was also redacted as requested by the affected vendor.
We would like to especially thank Simwood for their open approach, allowing us to fully disclose the report that we provided to them, while quickly addressing the security issues and keeping us updated all throughout.