Paper 2023/1118

Practically-exploitable Vulnerabilities in the Jitsi Video Conferencing System

Robertas Maleckas, ETH Zürich
Kenneth G. Paterson, ETH Zürich
Martin R. Albrecht, King's College London

Jitsi Meet is an open-source video conferencing system, and a popular alternative to proprietary services such as Zoom and Google Meet. The Jitsi project makes strong privacy and security claims in its advertising, but there is no published research into the merits of these claims. Moreover, Jitsi announced end-to-end encryption (E2EE) support in April 2020, and prominently features this in its marketing. We present an in-depth analysis of the design of Jitsi and its use of cryptography. Based on our analysis, we demonstrate two practical attacks that compromised server components can mount against the E2EE layer: we show how the bridge can break integrity by injecting inauthentic media into E2EE conferences, whilst the signaling server can defeat the encryption entirely. On top of its susceptibility to these attacks, the E2EE feature does not apply to text-based communications. This is not made apparent to users and would be a reasonable expectation given how Jitsi is marketed. Further, we identify critical issues with Jitsi's poll feature, which allow any meeting participant to arbitrarily manipulate voting results. Our findings are backed by proof-of-concept implementations and were verified to be exploitable in practice. We communicated our findings to Jitsi via a coordinated disclosure process. Jitsi has addressed the vulnerabilities via a mix of technical improvements and documentation changes.

Available format(s)
Attacks and cryptanalysis
Publication info
Contact author(s)
robertas maleckas @ alumni ethz ch
kenny paterson @ inf ethz ch
martin albrecht @ kcl ac uk
2023-07-18: approved
2023-07-18: received
See all versions
Short URL
No rights reserved


      author = {Robertas Maleckas and Kenneth G. Paterson and Martin R. Albrecht},
      title = {Practically-exploitable Vulnerabilities in the Jitsi Video Conferencing System},
      howpublished = {Cryptology ePrint Archive, Paper 2023/1118},
      year = {2023},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.