XMPP framework - security issue with auto accepting subscription request

[Jindrich Sarson]

Hi,

By default, XmppFramework automatically accepts known subscription request for users, that are already in roster. The idea is described in XmppRoster.h, but unfortunately, the assumptions described in this file is false. The assumption is, that only user himself can item into roster, so that XmppFramework auto accepts only users, that are known to user.

However, XMPP protocol defines also subscription pre-approval. As described in XMPP spec: https://xmpp.org/rfcs/rfc6121.html#sub-preapproval-proc, after sending pre-approval to another user, the another user is added to this user's roster automatically by XMPP server with subscription="none".

With knowledge of this, lets have Bob and Alice. Bob wants to "stalk" Alice. To do this, Bob has to do those steps:

1. Bob send Pre-approval subscription to Alice. Using this, the XMPP server adds Bob into Alice's roster with subscription none.
2. then Bob send subscription request to Alice. Alice is using app with XMPPFramework with Roster plugin enabled. Because Bob is in roster, the subscription request is accepted automatically.
3. Bob can now even cancel Alice's subscription, he don't need it any more. So that Bob can "stalk" Alice and Alice cannot see Bob's status. Because in may XMPP clients only online users are visible, there is big chance, that Alice will not notice, that Bobs is subscribed to her.

So if you are using XMPPFramework in your app, test this, if the app is not vulnerable to this. The easiest way is to use Psi+ client, connect to your server with any existing account and add user that is connected to server using XMPPFramework. Then use Authorization -> Send authorization to and then Authorization -> Request authorization from.

Jindrich