BigBlueButton Audio Leakage Vulnerability When Joining Sessions with Microphone Muted

A vulnerability in BigBlueButton, an open-source virtual classroom platform, allows audio to be sent to the server from clients joining a session with the microphone muted. This issue exists in versions 3.0.19 and prior. Although the server discards audio from muted streams, it could potentially enable malicious server operators to access this audio data. The problem arises only during the initial connection to the meeting, before the user unmutes the microphone.

Impact

Exploitation of this vulnerability could lead to unauthorized access to audio data from participants, creating a risk of privacy violations.

Reproduction

To reproduce this vulnerability, join a BigBlueButton session using a client version prior to 3.0.20 with the microphone muted. Upon joining, the client will inadvertently send audio to the server, despite the mute status. This audio will not be heard by other participants, but could be accessed by the server operator.

Remediation

Users are advised to upgrade to BigBlueButton version 3.0.20 or later, where this vulnerability has been fixed.