Vulnerability: Unsafe default passwords in Jitsi Meet


There is in the free video conference software Jitsi Meet a security problemif you used the installation with Docker containers. Various accounts that are used internally for communication using the Jabber protocol XMPP are assigned the standard password "passw0rd" set up.

Job market

  1. Administrative professional association VBG statutory accident insurance, Hamburg
  2. LORENZ Life Sciences Group, Frankfurt am Main

What was not intended here: These accounts can also be accessed from outside. The Jitsi Meet web server enables this through a BOSH interface. It is a protocol with which you can use XMPP over HTTP connections. So you can log in with these standard accounts on the XMPP server Prosody used by Jitsi Meet. This gap was discovered by the IT security expert Joern Schneeweisz.

Login with the password "passw0rd"

The developers have now adapted their installation instructions. To install Jitsi Meet via Docker, you now have to run a script that sets all internally used passwords to random values. If the passwords are not set or the old default value "passw0rd" use, the start is denied.

In the face of the corona pandemic, video conferencing systems have been very popular recently. Many users have installed Jitsi Meet for this, has recently published and operates a corresponding manual even a public server. We have now adapted the instructions. All users who installed Jitsi Meet using our original guide are affected by the problem.

If you already have an existing installation of Jitsi Meet with Docker, you should definitely secure it. The following commands can be executed in the corresponding directory of the Git checkout:

  1. git pull
  2. ./
  3. docker-compose down
  4. rm -r ~/.jitsi-meet-cfg/
  5. mkdir -p ~/.jitsi-meet-cfg/{web/letsencrypt,transcripts,prosody,jicofo,jvb,jigasi,jibri}
  6. docker-compose up -d

The code of the Git repository is updated first, then random passwords are set in the configuration file using the script. Then you shut down the server, delete the existing configuration and create new, empty configuration directories. Finally you start the server again. provides test script

To test whether the whole thing was successful, we have provided a python scriptthat can be used to test vulnerability. The script tries to log into one of the XMPP accounts.

The vulnerability can be used to bypass user authentication on installations that have activated one. Further effects are conceivable, since an attacker has an administration account on the internal XMPP server.

Please activate Javascript.

Or use that Golem pure offer

and read

  • without advertisement
  • with javascript turned off
  • with RSS full text feed