Bugzilla

I only marked it "leave open" since comment 0 mentions two ways to deeplink into attacker rooms, 1) from top-level domain solely through navigating to a vulnerable WebRTC site with attacker-room in URL without the user's intent, and 2) from embedded iframe that does so on the sly, maybe even visually hiding that this is taking place.

Since I gather the risk profiles are quite different, I'm happy to open a new issue on the former, so we can close this out. 

> This doesn't seem to warrant a dot release AFAICT?

Since jitsi has added a mitigation on their servers, I don't know of another WebRTC site at the moment that is vulnerable. But I didn't do an extensive search, so that doesn't mean there isn't one (or that someone couldn't build one). I tested hangouts, Google meet, talky.io, appear.in, and jitsi. I did NOT test Facebook or webex for instance (I'm on PTO now, if someone wants to do that).

If we don't do a dot release I think we need to ask the person outside of Mozilla to hold off blogging about it until 69 becomes release.

Even without an identified exploit, I'd predict the potential press around this might be negative, given how [last month's](https://duckduckgo.com/?q=zoom+camera+exploit&t=fpas&ia=web) *non-technical* press (e.g. Fortune) seemed more upset about the privacy implications than over the RCE (!)

I only marked it "leave open" since comment 0 mentions two ways to deeplink into attacker rooms, 1) from top-level domain solely through navigating to a vulnerable WebRTC site with attacker-room in URL without the user's intent, and 2) from embedded iframe that does so on the sly, maybe even visually hiding that this is taking place.

Since I gather the risk profiles are quite different, I'm happy to open a new issue on the former, so we can close this out. 

> This doesn't seem to warrant a dot release AFAICT?

Since jitsi has added a mitigation on their servers, I don't know of another WebRTC site at the moment that is vulnerable. But I didn't do an extensive search, so that doesn't mean there isn't one (or that someone couldn't build one). I tested hangouts, Google meet, talky.io, appear.in, and jitsi. I did NOT test Facebook or webex for instance (I'm on PTO now, if someone wants to do that).

If we don't do a dot release I think we need to ask the person outside of Mozilla to hold off blogging about it until 69 becomes release.

Even without an identified exploit, I'd predict the potential press around this might be negative, given how [last month's](https://duckduckgo.com/?q=zoom+camera+exploit&t=fpas&ia=web) *non-technical* press (e.g. Fortune) seemed more upset about the privacy implications than over zoom's RCE (!)