[Security] [jdev] Spoofing of iq ids and misbehaving servers

Kim Alvefur zash at zash.se
Sat Feb 1 11:22:56 UTC 2014

On 2014-01-31 22:51, Thijs Alkemade wrote:
> These use an incrementing counter to generate ids, starting from 0. This means
> that, for example, roster retrieval always gets the same id and could be
> spoofed by a fast enough attacker:
> * Gajim (python-nbxmpp)
> * Strophe
> * Miranda
> * InstantBird


* Verse

You would need to guess the full JID to spoof things done before
presence is sent.  So, unpredictable resources are good.

Also, unpredictable iq ids would not help against an attacker capable of
reading the ids off the wire.

Kim "Zash" Alvefur

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 901 bytes
Desc: OpenPGP digital signature
URL: <http://mail.jabber.org/pipermail/security/attachments/20140201/a63ac0aa/attachment.pgp>

More information about the Security mailing list