Skip to content

Video feed was captured while user has disabled video

High
franziskuskiefer published GHSA-7fg4-x8vj-qvxf Feb 8, 2021

Package

No package listed

Affected versions

<= 3.74

Patched versions

3.75

Description

Impact

The video capture isn't stopped in a scenario where a user first has their camera enabled and then disables it.
It's a privacy issue because video is streamed to the call when the user has to think it is disabled. It impacts all users in video calls.

Patches

In order to fix the issue, the measure taken is to stop the video capture anytime the video state changes to anything other than .started.
.started is the intended state for the video to be recorded. Any other state in relation to the self user should not equate to the video being captured.
Now the user can effectively change the video state when tapping the disable video button.

Fix: 7e3c301

Workarounds

no

Severity

High

CVE ID

CVE-2021-21301

Weaknesses

No CWEs