Generally no - cross origin iframes don't allow camera/audio by default. Even if the toplevel site allows it (via https://developer.mozilla.org/en-US/docs/Web/API/HTMLIFrameE...), user still needs to grant permissions to toplevel site. Of course you can still use window.open and top.location.href in the iframe and use the same trick as in the article.
3eb7988a1663•3h ago
Not that I use Jitsi, but I suddenly feel more embarrassed about my number of open tabs. Some other exploit could have silently been launched long ago.
unsnap_biceps•3h ago
Can someone describe the feature that this is used for? I struggle to think of any valid reason for automatic joining with audio/video like that.
firefax•3h ago
Is this understood to be new? I think I got hit with this quite a long time ago.
(As in during the pandemic -- long ago in vuln times.)
I am willing to discuss it, off the record, if someone provides their signal information.
Telemakhos•2h ago
Maybe my Mac is set to be paranoid, but can you share video without being asked to give the mic and camera permission to operate? I chat with jitsi all the time and have to give jitsi explicit permission to use the mic/camera each time.
spaceport•2h ago
Where do I pay to read security research writeups with only cats used in explainer images and examples? This exploit is cute.
o11c•4h ago
zimzi•4h ago