[Operators] Remove old unused accounts?

Jonathan Schleifer js-xmpp-operators at webkeks.org
Wed Dec 9 11:20:05 CST 2009


Am 09.12.2009 um 16:17 schrieb Michael Grigutsch:

> I don't see a big problem in this, as the account either was never  
> used or was not in use for over a year.


Well, I see a big problem with it. A big security problem!

Imagine the user has owner status in a MUC. Now that JID gets auto- 
delted. Someone re-registers that JID and got owner in the MUC and  
could hijack it. Imagine that user has been gone for years, and nobody  
remembers him. But know someone DOES remember him suddenly, registers  
the JID that user had and takes over the MUC. Same applies for PubSub  
etc.

--
Jonathan



More information about the Operators mailing list