Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Impersonation by misusage of carbons #1704

Closed
guusdk opened this issue Sep 10, 2019 · 1 comment

Comments

@guusdk
Copy link
Member

commented Sep 10, 2019

Converse 5.0.1 can be tricked into displaying a message as if it was sent by someone else: this allows malicious users to impersonate others.

The following message was rendered by Converse as if it was sent by someone with the nickname i_am_groot:

<message to="georg@yax.im/poezio" id="718d40df-3948-4798-a99b-35cc9f03cc4f-641" type="groupchat" from="xsf@muc.xmpp.org/balu_der_baer">
  <received xmlns="urn:xmpp:carbons:2">
    <forwarded xmlns="urn:xmpp:forward:0">
      <message xmlns="jabber:client" to="xsf@muc.xmpp.org" type="groupchat" from="xsf@muc.xmpp.org/i_am_groot">
        <body>I am groot.</body>
      </message>
    </forwarded>
  </received>
</message>
@jcbrand

This comment has been minimized.

Copy link
Member

commented Sep 11, 2019

@guusdk: Are you sure? I'm not able to reproduce this with a test.

EDIT: sorry my test is wrong, trying again...

@jcbrand jcbrand added the bug label Sep 11, 2019
@jcbrand jcbrand closed this in 0af9bc8 Sep 11, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.