My favorites | Sign in
Google
Project Home
  
Wiki
  
Issues
  
Source
    
New issue | Search
for
| Advanced search | Search tips
Issue 120: XMPP and email interfaces have a privacy leak
10 people starred this issue and may be notified of changes. Back to list
Status:  Fixed
Owner:  ----
Closed:  Sep 22
Cc:  andyster
Type-Defect
Priority-Critical


Sign in to add a comment
 
Reported by BUGabundo, Jun 07, 2009 
Subscriving to an user with private profile, and that doesnt follow you,
still allows you to get the content of their jaikus via XMPP

What is the expected output? What do you see instead?
to not get any jaikus from that user

What version of the product are you using? On what operating system?
Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2a1pre) Gecko/20090605
Ubuntu/9.10 (karmic) Minefield/3.6a1pre ID:20090605173855

Please provide any additional information below.

example:
(05:44:35 PM) jaiku@jaiku.com: myrtti: have to <snip>. (link
http://myrtti.jaiku.com/presence/b3e6a6876238406ba2205cf58ded8ff5)
(05:45:08 PM) IM: @myrtti: @myrtti: can you see this? (XMPP private jaikus
leak)
(05:45:16 PM) jaiku@jaiku.com: Operation not allowed
Comment 1 by myrtti, Jun 13, 2009 
If my notifications are leaked through the XMPP bridge to everyone who subscribes to
me EVEN IF I'm not subscribing to them and thus not making them my contacts who I'd
allow to see my updates, then this is a great, big, huge bug. I didn't see a way to
STOP these followers to stop following me, so having recently investigated my
personal online presence and microblogging and limiting the visibility to a group of
trusted friends, this is a show stopper. This needs urgent attention. While the bug
is open, I'm going to stop using Jaiku apart from replying to messages, as I don't
feel comfortable with it anymore.
Comment 2 by adewale, Jun 14, 2009 
It looks like this privacy bug exists in all modes (XMPP, sms, email) except the web interface.

My current theory is that the web interface applies an additional level of filtering when generating the Overview. 
This is why it can re-use the same code as XMPP and email but get different results.

I've raised the priority of this bug since it's privacy related.
Summary: XMPP and email interfaces have a privacy leak
Labels: -Priority-Medium Priority-Critical
Comment 3 by adewale, Jul 22, 2009 
This patch: http://rietku.appspot.com/24001 attempts to fix this bug
Status: Started
Comment 4 by adewale, Jul 22, 2009 
 Issue 56  has been merged into this issue.
Cc: andyster
Comment 5 by andyster, Sep 22, 2009 
closed in r92
Status: Fixed
Sign in to add a comment