[jdev] [Security] Spoofing of iq ids and misbehaving servers
me at thijsalkema.de
Mon Feb 3 20:43:09 UTC 2014
I've filed tickets today for:
A ticket for SMACK already existed:
All of these I managed to spoof in one way or another.
Additionally, I found out both XMPPFramework and SMACK do not check the 'from'
on roster pushes. This means that any attacker who knows your resource can, at
any moment, so not just a well-timed 100ms window during login, add new
entries to somebody's roster. That was filed separately for SMACK here:
Gajim seems to be working properly, all attempts I made did not work (spoofing
vcards, iq:version replies, rosters). InstantBird is still using libpurple
instead of their JS implementation, so investigating that again was not
necessary. I could not get tkabber to run, so I did not test that further.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 841 bytes
Desc: Message signed with OpenPGP using GPGMail
More information about the JDev