search

termie / jaikuengine

Automatically exported from code.google.com/p/jaikuengine
Apache License 2.0
0 stars 0 forks source link

XMPP and email interfaces have a privacy leak #120

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
Subscriving to an user with private profile, and that doesnt follow you,
still allows you to get the content of their jaikus via XMPP

What is the expected output? What do you see instead?
to not get any jaikus from that user

What version of the product are you using? On what operating system?
Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2a1pre) Gecko/20090605
Ubuntu/9.10 (karmic) Minefield/3.6a1pre ID:20090605173855

Please provide any additional information below.

example:
(05:44:35 PM) jaiku@jaiku.com: myrtti: have to <snip>. (link
http://myrtti.jaiku.com/presence/b3e6a6876238406ba2205cf58ded8ff5)
(05:45:08 PM) IM: @myrtti: @myrtti: can you see this? (XMPP private jaikus
leak)
(05:45:16 PM) jaiku@jaiku.com: Operation not allowed

Original issue reported on code.google.com by BUGabu...@gmail.com on 7 Jun 2009 at 4:53

GoogleCodeExporter commented 9 years ago 
If my notifications are leaked through the XMPP bridge to everyone who 
subscribes to
me EVEN IF I'm not subscribing to them and thus not making them my contacts who 
I'd
allow to see my updates, then this is a great, big, huge bug. I didn't see a 
way to
STOP these followers to stop following me, so having recently investigated my
personal online presence and microblogging and limiting the visibility to a 
group of
trusted friends, this is a show stopper. This needs urgent attention. While the 
bug
is open, I'm going to stop using Jaiku apart from replying to messages, as I 
don't
feel comfortable with it anymore.

Original comment by myr...@gmail.com on 13 Jun 2009 at 10:12

GoogleCodeExporter commented 9 years ago 
It looks like this privacy bug exists in all modes (XMPP, sms, email) except 
the web interface.

My current theory is that the web interface applies an additional level of 
filtering when generating the Overview. 
This is why it can re-use the same code as XMPP and email but get different 
results.

I've raised the priority of this bug since it's privacy related.

Original comment by adewale on 14 Jun 2009 at 10:27

GoogleCodeExporter commented 9 years ago 
This patch: http://rietku.appspot.com/24001 attempts to fix this bug

Original comment by adewale on 22 Jul 2009 at 4:44

GoogleCodeExporter commented 9 years ago 
Issue 56 has been merged into this issue.

Original comment by adewale on 22 Jul 2009 at 4:46

GoogleCodeExporter commented 9 years ago 
closed in r92

Original comment by andyster on 23 Sep 2009 at 12:28