Presentation topic:

Video chats and online meeting platforms are popular now. And, of course, they become interesting for hackers. But is it possible to hack these systems without any deep knowledge about WebRTC and custom protocols? Simple answer: yes.  

There are several great teams (like Google Project Zero) and researchers, who check protocols and open-source implementations. And there are a lot of mobile, desktop, and web applications from different companies and vendors, which use different implementations of audio and video communications: from chats for funny talks to encrypted enterprise systems and professional communications. 

Aleksandr research focuses on the middle layout of some popular apps and systems: a part of the system, that is used to connect core libraries and UI (Web, Mobile, or desktop). And found interesting different logical issues, that allow to intercept calls, start calls without interaction with a user, and get private user’s information.

 During this talk Aleksandr will show several real-life cases:

 * A vulnerability in social network allowed to modify an invitation link to video chat and use CSRF to start a video call without permission from the user.

 * A vulnerability in a messenger allowed to use an insecure behavior of URL scheme and start a call without permission from the user.

 * A vulnerability in a mobile messenger allowed to get private information of a user (First and second name, phone number, and email) after visiting a specially created page.

 * Insecure popular default configuration in open-source videocall system allowed to create a parallel call and overhear a user.

 The main idea of this research is to show that different applications and systems may be created with secure video call protocols and libraries, but still have logical issues, that allow performing effective attacks.