[beta.meet.jit.si] - Keys Exposed

There is an endpoint exposing secrets: https://beta.meet.jit.si/config.js

It exposes: amplitudeAPPKey and callStatsSecret among other things.

I have this beta.meet.jit.si endpoint from a BugBounty endpoints list, but in this case I am not sure how this works, I report you this way anyways, in case that is interesting.


Those are not secret values, just API keys which are ok to be in the public, thanks for worrying though!

PS: next time, please use our security contact email instead of publishing in a public forum before we’ve had the time to check.