[Standards-JIG] ejabberd privacy bug
thoutbeckers at splendo.com
Fri Apr 28 23:27:25 UTC 2006
On Sat, 29 Apr 2006 00:07:57 +0200, Olivier Goffart <ogoffart at gmail.com>
> I saw this problem with ejabberd, i don't know how others server are
> I get <offline/> notification when the contact is offline, and not when
> contact invisible.
> Also, when i try to send typing notification to offline people, i get
> 503 service-unavailable
> And not when the person is invisible
> (invisible is set with the <presence type='invisible'/> method)
> This is probably a bug in ejabberd, but the section about security
> consideration of that JEP is empty, server developper should probably be
> warned about that.
Reminds me of back when ICQ was still the most used IM app, and "someone"
wrote a tool that detected invisible contacts through a bug in the ICQ
website. I'd report it to ejabberd people if you want to make sure it
won't go unnoticed. And you're right it should have been in the JEP
probably.. the reason it wasn't is likely that <presence
type='invisible'/> started out as more or less as a hack.
More information about the Standards