[Issue] Critical security issue: Recordings publicly accessible despite visibility settings

[ssergio-ll]

Ours System:

• BigBlueButton Server v3.0.19
• GreenLight v3.7.1

Hello everyone,

I believe I have identified a critical security issue in Greenlight related to the visibility of recordings.

Several clients for whom we have implemented BigBlueButton with Greenlight have reported that their recordings are publicly accessible by anyone who has the recording URL, even when visibility restrictions are configured.

According to Greenlight, the available visibility modes are:

• Public / Protected
• Public
• Protected
• Published
• Unpublished

However, in practice, only the “Unpublished” state fully restricts access.
In all other cases, non-authenticated users can access the recording directly via the URL, without being logged in or authorized.

This behavior represents a major security and privacy concern, especially for:

• Private meetings
• Educational institutions
• Corporate or confidential sessions
• GDPR / data protection compliance

From our testing, this does not appear to be expected behavior and seems more like a bug or misinterpretation of the visibility logic, where “Protected” or similar modes should prevent anonymous access.

I consider this a high-priority issue that should be reviewed and addressed as soon as possible.

Thank you for your time and for the continued work on Greenlight.

Best regards,
Sergio.

[defnull]

Sounds a lot like #6146 or #6132 (comment)

As a workaround, you can disable the misleading recording states in the role configurations for the "User" role.

[farhatahmad]

Yeah Im not sure I would qualify this as a critical security issue - either way, it'll be fixed in the next release

[ssergio-ll]

Yeah Im not sure I would qualify this as a critical security issue - either way, it'll be fixed in the next release

I would say it is critical. Students can share the recording URLs with people who are not registered.

Thank you for taking this into consideration and for having it planned for the next release.

Best regards.

[ssergio-ll]

Yeah Im not sure I would qualify this as a critical security issue - either way, it'll be fixed in the next release

Hello,

After reviewing GreenLight 3.8.0, we can confirm that the issue reported here still persists.

Currently, recordings only support three visibility states: Public, Published, and Unpublished. However, none of these options allow restricting access exclusively to authenticated users.

Specifically:

Public: the recording is accessible via the public recordings page and through a shared link.
Published: the recording remains accessible to anyone with the direct link.
Unpublished: the recording is not accessible at all, even for authorized users.

This means there is no intermediate option that allows:

Restricting access to logged-in users only.
Preventing external access when a link is shared.

From both a functional and security standpoint, this is a critical limitation in educational environments, as students can share recordings with third parties without any access control.

As a result, it is currently not possible to meet basic requirements for restricted content access.

Is there any plan to introduce an authentication-based access model (e.g., “authenticated users only”) or any recommended workaround to mitigate this issue?

Thank you.

[defnull]

https://github.com/blindsidenetworks/scalelite/blob/master/docs/protectedrecordings_README.md

[ssergio-ll]

https://github.com/blindsidenetworks/scalelite/blob/master/docs/protectedrecordings_README.md

I believe this is not a robust or reliable solution. In its current state, Greenlight does not appear to be compliant with GDPR requirements, which is a serious concern. Furthermore, as mentioned earlier, anyone with access to the link can view and share the recordings without restriction. This represents a significant security risk for any academy or training institution handling sensitive or proprietary content.

[defnull]

You are repeating yourself while ignoring the existing solution I just linked. Protected recordings do exactly what you asked for, they prevent users from sharing the recording links outside of greenlight. Why do you think that's not sufficient?