[jdev] [Security] Spoofing of iq ids and misbehaving servers

Thijs Alkemade me at thijsalkema.de
Mon Feb 3 20:43:09 UTC 2014

I've filed tickets today for:

XMPPFramework: https://github.com/robbiehanson/XMPPFramework/issues/300
Strophe.js: https://github.com/strophe/strophejs/issues/56
SleekXMPP: https://github.com/fritzy/SleekXMPP/issues/278
Miranda-NG: http://trac.miranda-ng.org/ticket/569

A ticket for SMACK already existed:


All of these I managed to spoof in one way or another.

Additionally, I found out both XMPPFramework and SMACK do not check the 'from'
on roster pushes. This means that any attacker who knows your resource can, at
any moment, so not just a well-timed 100ms window during login, add new
entries to somebody's roster. That was filed separately for SMACK here:


Gajim seems to be working properly, all attempts I made did not work (spoofing
vcards, iq:version replies, rosters). InstantBird is still using libpurple
instead of their JS implementation, so investigating that again was not
necessary. I could not get tkabber to run, so I did not test that further.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 841 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mail.jabber.org/pipermail/jdev/attachments/20140203/1742a058/attachment.pgp>

More information about the JDev mailing list