My favorites | Sign in
Project Home Wiki Issues Source
READ-ONLY: This project has been archived. For more information see this post.
Search
for
  Advanced search   Search tips   Subscriptions
Issue 120: XMPP and email interfaces have a privacy leak
10 people starred this issue and may be notified of changes. Back to list
Status:  Fixed
Owner:  ----
Closed:  Sep 2009
Cc:  andyster


 
Reported by BUGabu...@gmail.com, Jun 7, 2009
Subscriving to an user with private profile, and that doesnt follow you,
still allows you to get the content of their jaikus via XMPP

What is the expected output? What do you see instead?
to not get any jaikus from that user

What version of the product are you using? On what operating system?
Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2a1pre) Gecko/20090605
Ubuntu/9.10 (karmic) Minefield/3.6a1pre ID:20090605173855

Please provide any additional information below.

example:
(05:44:35 PM) jaiku@jaiku.com: myrtti: have to <snip>. (link
http://myrtti.jaiku.com/presence/b3e6a6876238406ba2205cf58ded8ff5)
(05:45:08 PM) IM: @myrtti: @myrtti: can you see this? (XMPP private jaikus
leak)
(05:45:16 PM) jaiku@jaiku.com: Operation not allowed
Jun 13, 2009
#1 myr...@gmail.com
If my notifications are leaked through the XMPP bridge to everyone who subscribes to
me EVEN IF I'm not subscribing to them and thus not making them my contacts who I'd
allow to see my updates, then this is a great, big, huge bug. I didn't see a way to
STOP these followers to stop following me, so having recently investigated my
personal online presence and microblogging and limiting the visibility to a group of
trusted friends, this is a show stopper. This needs urgent attention. While the bug
is open, I'm going to stop using Jaiku apart from replying to messages, as I don't
feel comfortable with it anymore.
Jun 14, 2009
Project Member #2 adewale
It looks like this privacy bug exists in all modes (XMPP, sms, email) except the web interface.

My current theory is that the web interface applies an additional level of filtering when generating the Overview. 
This is why it can re-use the same code as XMPP and email but get different results.

I've raised the priority of this bug since it's privacy related.
Summary: XMPP and email interfaces have a privacy leak
Labels: -Priority-Medium Priority-Critical
Jul 22, 2009
Project Member #3 adewale
This patch: http://rietku.appspot.com/24001 attempts to fix this bug
Status: Started
Jul 22, 2009
Project Member #4 adewale
 Issue 56  has been merged into this issue.
Cc: andyster
Sep 22, 2009
Project Member #5 andyster
closed in r92
Status: Fixed

Powered by Google Project Hosting