| Issue 120: | XMPP and email interfaces have a privacy leak | |
| 10 people starred this issue and may be notified of changes. | Back to list |
Subscriving to an user with private profile, and that doesnt follow you, still allows you to get the content of their jaikus via XMPP What is the expected output? What do you see instead? to not get any jaikus from that user What version of the product are you using? On what operating system? Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2a1pre) Gecko/20090605 Ubuntu/9.10 (karmic) Minefield/3.6a1pre ID:20090605173855 Please provide any additional information below. example: (05:44:35 PM) jaiku@jaiku.com: myrtti: have to <snip>. (link http://myrtti.jaiku.com/presence/b3e6a6876238406ba2205cf58ded8ff5) (05:45:08 PM) IM: @myrtti: @myrtti: can you see this? (XMPP private jaikus leak) (05:45:16 PM) jaiku@jaiku.com: Operation not allowed
Jun 13, 2009
#1
myr...@gmail.com
Jun 14, 2009
It looks like this privacy bug exists in all modes (XMPP, sms, email) except the web interface. My current theory is that the web interface applies an additional level of filtering when generating the Overview. This is why it can re-use the same code as XMPP and email but get different results. I've raised the priority of this bug since it's privacy related.
Summary:
XMPP and email interfaces have a privacy leak
Labels: -Priority-Medium Priority-Critical |