Skip to content

Stop OTR from leaking network availability#2166

Closed
techmetx11 wants to merge 1 commit into
profanity-im:masterfrom
techmetx11:master
Closed

Stop OTR from leaking network availability#2166
techmetx11 wants to merge 1 commit into
profanity-im:masterfrom
techmetx11:master

Conversation

@techmetx11

@techmetx11 techmetx11 commented May 16, 2026

Copy link
Copy Markdown
Contributor

In Profanity, OTR can be abused to leak the user's network availability, without a subscription request and with just their bare JID. This may have been exploited in the wild by malicious users and spammers.

This PR will stop libotr from injecting messages if the recipient doesn't have a subscription

@techmetx11 techmetx11 force-pushed the master branch 2 times, most recently from ea08c10 to 035d856 Compare May 16, 2026 22:34
@techmetx11
fix(otr): stop OTR from leaking network availability
035d856 
Signed-off-by: techmetx11 <techmetx11@disroot.org>
@jubalh

jubalh commented May 18, 2026

Copy link
Copy Markdown
Member

There seems to be missing context here. Could you expand a bit what on what is happening and how?

Also I think there are people that want to chat using OTR and don't grant subscription to the roster to the other party. So this PR might need redoing. Probably a setting will be needed for /otr to decide about the behaviour.

But let's hear more about the original concern first.

@techmetx11

techmetx11 commented May 18, 2026
edited
Loading

Copy link
Copy Markdown
Contributor Author

There seems to be missing context here. Could you expand a bit what on what is happening and how?

Also I think there are people that want to chat using OTR and don't grant subscription to the roster to the other party. So this PR might need redoing. Probably a setting will be needed for /otr to decide about the behaviour.

But let's hear more about the original concern first.

Spammers have been abusing OTR presumably to figure out if users are online, because OTR will inject a message upon receiving a handshake message (?OTRv23?) with no regard for if the entity is authorized to know about the user's network availability.

What also makes this worse is that if the attacker doesn't use <no-store>, <no-copy> or <private>, Profanity will continue to respond to the same OTR handshake between client restarts because it gets the same handshake message from the server's history. Essentially allowing the attacker to figure out when a Profanity user has come online just by receiving OTR messages from them (and without the user being aware of it)

monocles.chat fixed this issue somehow. It doesn't respond to OTR handshakes from strangers

@jubalh

jubalh commented May 18, 2026

Copy link
Copy Markdown
Member

I'm curious what other clients do. But I think not many even still support OTR at this point, right?

@jubalh jubalh added this to the next milestone May 19, 2026
@jubalh jubalh self-assigned this May 19, 2026
@jubalh

jubalh commented May 19, 2026

Copy link
Copy Markdown
Member

Ok I think I understood the problem now well enough.
I'll look into it when I find some free time. Thanks for reporting the issue!

@jubalh jubalh mentioned this pull request May 19, 2026
Merged
@jubalh

jubalh commented May 19, 2026

Copy link
Copy Markdown
Member

@techmetx11 please take a look at #2168.
I think this is how we should do it. What do you think?

@jubalh jubalh added the otr label May 19, 2026
@techmetx11

techmetx11 commented May 20, 2026

Copy link
Copy Markdown
Contributor Author

@techmetx11 please take a look at #2168. I think this is how we should do it. What do you think?

I think that's better than what I did here. LGTM!

@techmetx11 techmetx11 closed this May 20, 2026
bkmgit pushed a commit to bkmgit/profanity that referenced this pull request May 25, 2026
@jubalh
fix(otr): prevent OTR handshake from leaking presence to strangers
d020828 
`cb_is_logged_in()` incorrectly returned `PRESENCE_ONLINE`
for contacts not in the roster or without a presence subscription.

According to libotr API documentation, returning 1 informs the library that it
is safe to send automated background traffic (heartbeats or handshake responses).

Because of this, when spammers sent an initial OTR query (`?OTR?v23?`),
we would automatically inject a handshake response, confirming the
users network availability.

This violates XMPP Presence Privacy best practices defined in RFC 6121 Section 4.1,
which states that presence information must not be revealed to entities
without explicit authorization.

Fixes: profanity-im#2166
Signed-off-by: Michael Vetter <jubalh@iodoru.org>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@jubalh jubalh

Labels

otr

Projects

None yet

Milestone

next

Development

Successfully merging this pull request may close these issues.

2 participants

@techmetx11 @jubalh