[standards-jig] JEP:0015 Account Transfer

Iain Shigeoka iainshigeoka at yahoo.com
Thu Jan 24 16:55:01 UTC 2002

On 1/24/02 7:42 AM, "Casey Crabb" <debug at nafai.dyndns.org> wrote:

> In this scenario the only the a user does is request account transfer;
> the servers actually send all the necessary requests; therefore it is
> necessary to trust the servers are doing the right thing; you don't have
> to worry about clients doing evil things; except in the case that an
> account has been breached. In the case of a breached account lots of bad
> things can happen.
> What other security holes am I not seeing?  I know they are there..

:)  I seem to be playing old curmudgeon/devil's advocate a lot lately...
You may want to crosspost this to the security-jig list to have the security
team look at this issue (if you want a security breakdown).  (However, in
the last Foundation meeting we tentatively decided to try and rework the JIG
system to avoid this sort of problem of not having the right people see
issues... Sorry I digress.)

OK.  Here's one I thought of as I read your description.

Scenario (rogue server): I (rogue spammer) set up a script that slams your
server that supports account transfer.  The script simply floods your server
with account transfer requests acting like a server.  Since you allow
account transfers, and must expect that a single server may legitimately
make many of these requests, your server accepts them.  The script then
proceeds to spam the world through your server using all of these accounts.
A normal server could limit the number of registrations from a single IP to
prevent spammer account creation, prevent "open" registrations, etc...

The exploit is really part of the basic weakness is s2s security in Jabber.
Servers must trust each other but have no mechanism for establishing that
trust except using some sort of white/blacklisting by address scheme.
Dialback only establishes that a server is who it says it is.

Account transfers worsens the hole though. The consequences of a compromised
server can normally be minimized (for example, limiting the number of new
account registrations from a single address to some small number).  Now a
compromised server can also result in wide-scale hijacking of accounts.

A similar exploit can probably be imagined if you can't completely trust
your own server (ala the long distance phone slamming escapades of the early

So, in most ways, I'd say that account transfers aren't much of a security
threat in itself, but it helps to fuel an existing (smoldering) security


Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com

More information about the Standards mailing list