[SECURITY] Jitsi Meet Room IDs are predictable

[qchn]

Description:

RocketChat generates Jitsi Room IDs which are predictable instead of randomized room id's.

Expected behavior:

RocketChat should generate Jitsi Room IDs with randomness

Actual behavior:

When a jitsi call is initiated from within RocketChat a jitsi room id is generated.
There are two types of rooms:

channels/groups chats which generate a id with the following format:
direct (person to person) chats which have the following format:
The Id's are generated by Redis (17characters long). The Id's do not change and always stay the same for the same room or person.

There exists one special channel/group with the id GENERAL.
Here are some example id's, the Id's for direct chats seem to be sorted lexicographically (A-Z then a-z):

RocketChatdWmoPHTrjMXGxHWmGENERAL
RocketChatdWmoPHTrjMXGxHWm6zL6g95HRX3cSr8Ae
RocketChatdWmoPHTrjMXGxHWmGgzAzuQHjiNKRqTYS
RocketChatdWmoPHTrjMXGxHWmPQF6rfxDN4Bqdz7xd
RocketChatdWmoPHTrjMXGxHWmYRquRg3SkQhigWms3
RocketChatdWmoPHTrjMXGxHWuBqfLXvrypxtktizL9bkDv5ZX4CmfYkr2yQ
RocketChatdWmoPHTrjMXGxHWmE7TviSYCxastoNSjHbkDv5ZX4CmfYkr2yQ
RocketChatdWmoPHTrjMXGxHWmXhkpQNjhpYzRnsbtMbkDv5ZX4CmfYkr2yQ
RocketChatdWmoPHTrjMXGxHWmbkDv5ZX4CmfYkr2yQtovhDJ7crLSwpCxKJ

Server Setup Information:

• Version of Rocket.Chat Server: 0.74.3 / 1.1.2
• Operating System: Debian Jessie
• Deployment Method: tar
• Number of Running Instances: 8
• MongoDB Version: 3.4.18

Additional context

Threat:
Attackers can join calls once they learned the id's.
The RocketChat instance id as well as the id of your own user can be learned by initiating a call with yourself.
To learn the id of other users a call to them can be initiated. There possibly exist other ways to learn the ids.
To learn the channel id attackers need to be part of them at least once.

An attacker can easily join all person to person meetings this way and try to gain information.
Users can detect this easily by looking at the participants of the meeting.
Alternatively attackers could execute a DoS attack by setting a password to the channels.
Users can simply choose another room id.

[reetp]

As per this can you please test this on 'latest' please?

https://rocketchat.github.io/docs/contributing/reporting-issues/

Use at least v1.1.2 and if you can try 1.2.0 - Develop

[qchn]

Hi @reetp,

I just tested it for Version 1.1.2 on our test environment, it's the same behavior.

Best
Robert

[geekgonecrazy]

#12259 would secure this. Making Rocket.Chat a gate keeper. So only those authorized would get token generated for that specific room

[qchn]

Thank you for the hint, @geekgonecrazy. JWT would fix the issue if we'd use Jitsi only in connection with Rocket.Chat, which is not the case. We use Jitsi as a standalone service as well as Rocket.Chat.
The only way to fix this issue for our setup is to implement something, that randomizes the room id's within Rocket.Chat. This would be very helpful.

Best
Robert

[lightngn]

Hello all !
First of all thanks for all the great work....

Here is my problem, I have private rocketchat + jitsi. I am wondering if it is possible to remove the randomness (room ID) from the and just use the room name when a videoconference is started. The reason why is that Jitsi + Jigasi are integrated and I need a standard room name so the sip clients can dial in ...

Thanks in advance..
S...

as per mickymiek... moved to CF #17389

[mickymiek]

I'm in the same boat as @lightngn, I think there should be an option make the jitsi room have the same name as the rocketchat channel it was started from.

[jbguerraz]

CF #17389

[qchn]

The only way to fix this issue for our setup is to implement something, that randomizes the room id's within Rocket.Chat. This would be very helpful.

@geekgonecrazy
any news or update on this?

Best
Robert

[github-actions]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.