Remote image fetching when decoding HTML from XMPP reveals IP address
|Reported by:||am||Owned by:||evands|
In , Evan wrote that AIHTMLDecoder automatically fetches images referenced in HTML it is asked to decode. Since AIHTMLDecoder is used for XMPP, this is a problem. XMPP strictly avoids giving out the user's IP address. If an attacker embeds an image to a server where the attacker has access to the web server logs, the user's IP is leaked automatically.
Ideally, something like in Apple Mail should be used (where the user can decide whether to download the images by pressing a button in the message view).
Change History (6)
comment:2 Changed 8 years ago by zacw
- Summary changed from IP leak in ? to Remote image fetching when decoding HTML from XMPP reveals IP address
comment:5 Changed 8 years ago by Zachary West <zacw@…>
- Resolution set to fixed
- Status changed from new to closed