XMPP support in Messages does not verify the source of roster pushes & iq replies

Number:rdar://16147049 Date Originated:24-02-2014
Status:Open Resolved:
Product:Other Product Version:
Classification:Security Reproducible:Always
I've been looking into XMPP implementations and whether they verify the source of iq replies. See http://mail.jabber.org/pipermail/jdev/2014-January/089824.html and http://mail.jabber.org/pipermail/jdev/2014-January/089838.html for more discussion.

Messages does not verify the source of iq replies. I have verified that, upon signing in, if a roster result comes in from a different address than the server, it is accepted and displayed as the contact list. This can lead to spoofing of rosters, vcards, etc.

More importantly, Messages does not verify the source of roster pushes. This allows anyone to add new contacts to someone else's contact list.

Steps to Reproduce:
To spoof a roster push:
1. Start Messages
2. Send the following from a different client:

<iq type='set' to='user@example.com/ComputerName' id='1'>
    <query xmlns='jabber:iq:roster'>
      <item jid='evil@evil.com'/>
3. Observe the contact list in Messages.

Expected Results:
No unauthorized modification of my contact list.

Actual Results:
Unauthorized modification of my contact list.



OS X 10.9.1, Messages Version 8.0 (4218)



Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!