Brave browser can bypass user/pass authentication (update: debunked)

inu · December 15, 2020, 1:36pm

I tried out setting up a Jitsi server, and enforce user + password authentication for use with family.
But sadly, I found a very simple to execute security flaw.

In Brave there are 3 settings of blocking browser fingerprinting.
If set to “attempt blocked cross site fingerprinting” or “attempt permitted fingerprinting”, it’ll prompt a username and password popup just like on Firefox, Chromium, and Konqueror.
But if set to “attempt blocked fingerprinting”, the login popup will not appear, and can enter the meeting despite having set up authentication on the server

gpatel-fr · December 15, 2020, 9:57am

you can enter a meeting with several users or just one ? in the latter case it’s not a real ‘meeting’, it’s just a way of seeing yourself.

inu · December 15, 2020, 10:00am

Sorry, but not sure what amount of users has to do with bypassing user authentication.

gpatel-fr · December 15, 2020, 11:08am

as I said, if you have a meeting of one, it’s not a meeting at all, so there is no authentication bypassed.

inu · December 15, 2020, 12:13pm

I’m talking about the exact same server, exact same room, exact same URL, tested in multiple browsers and even multiple sessions of each browser.
Which is why I don’t know what user count has to do with anything.

Maybe it’ll become clear with a video.

gpatel-fr · December 15, 2020, 12:16pm

No need to discuss further then. Bye.

damencho · December 15, 2020, 1:00pm

Hiding the login dialog does not mean bypassing security. If you are able to actually join the room and see the other participants that is entering the meeting and that will be bypassing the authentication. Do you see that, as your video shows just hiding the login dialog?

inu · December 15, 2020, 1:34pm

Tried using 2 users on 2 other browsers (I chose Konqueror and Firefox for this).
Indeed, the Konqueror and Firefox ones actually seemed to be in conversation, the Brave one wasn’t (appeared like if the Brave one existed in an alternative dimention).

That explains the reason, thank you!

As for seeing video, my PC has no camera nor microphone, so I don’t know.
Intention is to have it used by our smartphones, and is meant as an insurance in case LINE will be blackout too during this week (Naver is a big tech corporation afterall).