Security: Client ID used as thread name

[zaboople]

So I am noticing that MQTT3 & MQTT5 drivers use the client ID as part of the name for various background threads. Here's one example of it being passed thru:

https://github.com/eclipse/paho.mqtt.java/blob/master/org.eclipse.paho.mqttv5.client/src/main/java/org/eclipse/paho/mqttv5/client/internal/ClientComms.java#L785

My understanding is that the client ID is essentially intended as a sort of "cookie" that uniquely identifies a session, such that stealing that client ID means you can steal someone's session. Just as an example, a lot of logging frameworks log the current Thread name, which is usually useful for diagnostics, but logging credentials is generally considered a security anti-pattern. So I think "leaking" that client ID out like this is a security risk.

I haven't actually demoed a successful "session stealing" attempt like this; just relying on what I've seen indicated in documentation for other MQTT systems. I know VerneMQ authors specifically insisted that the client ID identifies the session.

If I check on thread names at runtime when subscribing to a topic, I'll typically see

MQTT Con: <id>
MQTT Rec: <id>
MQTT Snd: <id>
MQTT Call: <id>
MQTT Ping: <id>

- where <id> is my client id.

• [X] Bug exists Release Version 1.2.5 ( Master Branch)
• [ ] Bug exists in MQTTv3 Client on Snapshot Version 1.2.6-SNAPSHOT (Develop Branch)
• [ ] Bug exists in MQTTv5 Client on Snapshot Version 1.2.6-SNAPSHOT (Develop Branch)