[jdev] [Security] Spoofing of iq ids and misbehaving servers

Kevin Smith kevin at kismith.co.uk
Sat Feb 1 14:32:23 UTC 2014

On Sat, Feb 1, 2014 at 11:54 AM, Alexander Holler <holler at ahsoftware.de> wrote:
> I don't consider the id (or even the resource name as mentioned in another
> mail) as part of the security concept of XMPP.

I think people probably should.

Non-random resources are a great source of presence leaks.

Non-random ids leak a very small amount of information, but they do
leak information (when receiving a stanza you can predict where in the
life of a stream a client is). This is outside the scope of the
vulnerability of libraries that don't do proper id/target matching,
although those libraries that use random ids are /much/ less
vulnerable to the issue in question.


More information about the JDev mailing list