Dr. Georg Lukas, rt-solutions.de, 2017-02-09
An incorrect implementation of XEP-0280: Message Carbons in multiple XMPP clients allows a remote attacker to impersonate any user, including contacts, in the vulnerable application’s display. This allows for various kinds of social engineering attacks.
The XMPP protocol extension XEP-0280: Message Carbons allows a user to run multiple clients on their XMPP account by sending “carbon copies” of outgoing and incoming messages to the user’s other devices (besides the one that directly sent or received the original message).
This feature must be supported by the user’s server and must be explicitly enabled by the client. Carbon copies are always generated by the user’s server and originate from the user’s bare JID (their account address).
For example, the following is message “Hi!”, sent by Alice (
email@example.com) to Bob’s client 1 (
<message from="firstname.lastname@example.org" to="email@example.com/client1"> <body>Hi!</body> </message>
Bob is also logged in with carbons-enabled client 2, which receives the following carbon-copy of the message:
<message from="firstname.lastname@example.org" to="email@example.com/client2"> <received xmlns='urn:xmpp:carbons:2'><forwarded xmlns='urn:xmpp:forward:0'> <message from="firstname.lastname@example.org" to="email@example.com/client1"> <body>Hi!</body> </message> </forwarded></received> </message>
Now, client 2 can extract the original message from the carbon copy and display it accordingly. The “Security Considerations” section of XEP-0280 explicitly states that:
Any forwarded copies received by a Carbons-enabled client MUST be from that user’s bare JID; any copies that do not meet this requirement MUST be ignored.
The Carbons implementation in the affected clients was lacking this test. It simply checked all incoming messages for presence of a Carbon element (
<sent/>), extracted and parsed it like a regular message.
Therefore, it was possible for Mallory to send the following specially crafted message to Bob:
<message from="firstname.lastname@example.org" to="email@example.com"> <received xmlns='urn:xmpp:carbons:2'><forwarded xmlns='urn:xmpp:forward:0'> <message from="firstname.lastname@example.org" to="email@example.com/client1"> <body>Please come to Creepy Valley tonight, alone!</body> </message> </forwarded></received> </message>
This would appear as an authentic message from Alice, including Alice’ proper screen name, allowing Mallory to perform social engineering attacks on Bob.
While the attacker can send messages in the name of somebody else, they can not see your responses. Therefore, if you receive a phony message while using an affected client, reinsure with the message sender by either challenging them with a question that can not be guessed by the attacker, or by using out-of-band means.
Xabber: disable the experimental Carbons feature in the app settings.
yaxim: Disabling Message Carbons under “Settings” / “Edit account” / “Message Carbons (XEP-0280)” will not solve the problem, as the malicious messages still will be interpreted.
A study of rt-mSolutions.de illuminated the status and future of the Beacon technology in retail environments
Click here to go to the study
Presented by Dr. Georg Lukas at the DeepSec conference 2014 (20. & 21.11.2014)
Internet security is hard. TLS is almost impossible. Implementing TLS correctly in Java is "Nightmare!". This talk will show how a badly designed security API introduced over 15 years ago, combined with misleading documentation and developers unaware of security challenges, causes modern smartphone applications to be left exposed to Man-in-the-Middle attacks.
Smack is an Open Source XMPP (Jabber) client library for instant messaging and presence written in Java. Smack prior to version 4.0.2 is vulnerable to TLS Man-in-the-Middle attacks, as it fails to check if the server certificate matches the hostname of the connection.
Our advisory services help you to improve the security and efficiency of your IT and to control your IT risks.
We develop sustainable, practical and precisely fitting solutions for complex challenges.
We are at any time available for you.
Phone: +49 (0) 221 93 72 40
Office: Oberländer Ufer 190a, D-50968 Cologne