With all the attention this week on videoconferencing solutions, we want to take a moment to clearly explain how BlueJeans works on your laptop to serve your security and privacy requirements as well as deliver a great meeting experience.
BlueJeans builds our products with security and privacy top of mind, in addition to user experience. From our authentication options to encryption to our secure data centers to our testing processes and vulnerability bounty program, BlueJeans takes the security, integrity, availability of the service, and the privacy of our users seriously. We appreciate all security concerns brought forth and are constantly striving to keep on top of the latest threats. Being proactive rather than reactive to emerging security issues is a fundamental belief at BlueJeans. Learn more about our approach at the BlueJeans Trust Center.
Recently there was an article that raised three vulnerabilities of another vendor’s service:
- The article spotlighted a launcher service of a video conference desktop app that could be activated by malicious websites to join meetings at any time. Based on the users' settings they could have their camera and/or microphone unmuted or muted when they join the meeting.
- The article spotlighted that malicious actors could activate launch of the video service by embedding links into iframes on any website, including in a hidden fashion.
- The article highlighted that there was no way to cleanly uninstall the desktop app or the launcher service on Mac OS.
The BlueJeans meeting platform is not vulnerable to any of these three issues. Our architecture prevents the malicious launches either directly or via iframes and an uninstall wipes all BlueJeans code from your device.
Our model for delivering BlueJeans to your team and organization is built around choice. One of those choices is how users join meetings -- using the Browser or our Desktop App. Let’s cover each in more detail:
BlueJeans Browser Experience (Zero download or installation)
For organizations and end users preferring no download and installation of the app and launcher service, BlueJeans offers its native browser meeting experience, based on our extensive use of the open WebRTC standard. This experience leverages the browsers’ native permission flows to join a meeting with camera and microphone. Here is more detail on our browser offering.
The BlueJeans Desktop App
For organizations and end users who use BlueJeans frequently, we offer a full featured desktop app. The app does use a launcher service to provide a great and reliable join experience. During a meeting join, the launcher service reduces clicks, confusion, and issues where users download the app multiple times. In the past, these have been leading reasons for people being unable to join or late to join meetings. Here is more detail on the motivations and benefits of our launcher service.
From the beginning our launcher service was implemented with security as top of mind. The launcher service ensures that only BlueJeans authorized websites (e.g. bluejeans.com) can launch the BlueJeans desktop app into a meeting. Unlike the issue referenced by the article above, malicious websites cannot launch the BlueJeans desktop app. Further, we do not allow these meeting launches to be embedded as iframes on non BlueJeans-authorized domains. As an ongoing effort we continue to evaluate browser-desktop interaction improvements (including the discussion raised in the article around CORS-RFC1918) to ensure we are offering the best possible solution for users.
In addition, for any customers who are uncomfortable with using the launcher service, they can work with our support team to have the launcher disabled for the desktop app.
Regarding issue number 3 from the article, as mentioned above, an uninstallation of the BlueJeans desktop app completely removes the application and the launcher which come together in a single package.
It is important to let customers choose the best fit for their organization and corporate policies. When it comes to joining meetings, customers—and end users—can choose to use the BlueJeans Zero Download Browser experience, the Desktop App with the launcher, or the Desktop App without the launcher based on their needs.
At BlueJeans, we are very focused on providing great experiences, however security and privacy are of primary importance. We are continuously factoring in protection to every product and feature we release to ensure we are the solution that both end users and IT teams can trust.