[jdev] [Security] Spoofing of iq ids and misbehaving servers
Justin Karneges
justin at affinix.com
Sat Feb 1 19:38:35 UTC 2014
On 01/31/2014 01:51 PM, Thijs Alkemade wrote:
> Only two clients I've looked at verify that the 'from' actually matches the
> 'to' the iq was sent to:
>
> * Pidgin (libpurple): incrementing counter starting from a random value
> * Swift: UUID
Also Iris-based clients (Psi, Kopete, Kadu). Iq ids aren't random but
the from address is checked.
Justin
More information about the JDev
mailing list