Privacy violation: auto-accepting subscription requests

Created by: ge0rg

Kaidan is silently and automatically accepting subscription requests. This is a violation of the user's privacy, because it leaks the user's availability status (allowing to monitor their behavior) and exposing full JIDs, allowing to target individual clients.

As today most spam sending bots first send a subscription request and then a message, and many spam filters block messages from strangers, you are also exposing users to spam.

Server-side logs:

Mar 23 03:00:30 s2sin56532061a490       debug   Received[s2sin]: <presence type='subscribe' to='georg@yax.im' from='redirect59926@jabber.o
zerki.net'>                              
Mar 23 03:00:30 s2sout56530f8819b0      debug   sending: <presence type='unavailable' to='redirect59926@jabber.ozerki.net' from='georg@yax
.im'>                                    
Mar 23 03:00:30 c2s5653115ea470 debug   Received[c2s]: <presence type='subscribed' to='redirect59926@jabber.ozerki.net' from='georg@yax.im/e57cc71c-e400-4a4d-a60b-513ec9d4a880'>  

georg@yax.im/e57cc71c-e400-4a4d-a60b-513ec9d4a880 is running Kaidan version 0.4.0-dev on Debian GNU/Linux buster/sid

Final result:

If you want to improve the UX without exposing the user, I recommend the following:

• XEP-0379: Pre-Authenticated Roster Subscription
• XEP-0401: Easy User Onboarding

---

Edit by @LNJ2:

• Don't automatically accept subscription requests
• Ask the user for accepting the requests