[Standards-JIG] ejabberd privacy bug

Tijl Houtbeckers thoutbeckers at splendo.com
Fri Apr 28 23:27:25 UTC 2006


On Sat, 29 Apr 2006 00:07:57 +0200, Olivier Goffart <ogoffart at gmail.com>  
wrote:

> I saw this problem with ejabberd, i don't know how others server are  
> affected
>
> I get <offline/> notification when the contact is offline, and not when  
> the
> contact invisible.
>
> Also, when i try to send typing notification to offline people, i get  
> error
> 503 service-unavailable
> And not when the person is invisible
>
> (invisible is set with the <presence type='invisible'/> method)
>
> This is probably a bug in ejabberd, but the section about security
> consideration of that JEP is empty,  server developper should probably be
> warned about that.

Well spotted..
Reminds me of back when ICQ was still the most used IM app, and "someone"  
wrote a tool that detected invisible contacts through a bug in the ICQ  
website. I'd report it to ejabberd people if you want to make sure it  
won't go unnoticed. And you're right it should have been in the JEP  
probably.. the reason it wasn't is likely that <presence  
type='invisible'/> started out as more or less as a hack.



More information about the Standards mailing list