[Security] [jdev] Spoofing of iq ids and misbehaving servers

Justin Karneges justin at affinix.com
Sat Feb 1 19:38:35 UTC 2014


On 01/31/2014 01:51 PM, Thijs Alkemade wrote:
> Only two clients I've looked at verify that the 'from' actually matches the
> 'to' the iq was sent to:
>
> * Pidgin (libpurple): incrementing counter starting from a random value
> * Swift: UUID

Also Iris-based clients (Psi, Kopete, Kadu). Iq ids aren't random but 
the from address is checked.

Justin


More information about the Security mailing list