Privacy violation: auto-accepting subscription requests
Created by: ge0rg
Kaidan is silently and automatically accepting subscription requests. This is a violation of the user's privacy, because it leaks the user's availability status (allowing to monitor their behavior) and exposing full JIDs, allowing to target individual clients.
As today most spam sending bots first send a subscription request and then a message, and many spam filters block messages from strangers, you are also exposing users to spam.
Mar 23 03:00:30 s2sin56532061a490 debug Received[s2sin]: <presence type='subscribe' email@example.com' firstname.lastname@example.org zerki.net'> Mar 23 03:00:30 s2sout56530f8819b0 debug sending: <presence type='unavailable' email@example.com' from='georg@yax .im'> Mar 23 03:00:30 c2s5653115ea470 debug Received[c2s]: <presence type='subscribed' firstname.lastname@example.org' email@example.com/e57cc71c-e400-4a4d-a60b-513ec9d4a880'>
firstname.lastname@example.org/e57cc71c-e400-4a4d-a60b-513ec9d4a880 is running Kaidan version 0.4.0-dev on Debian GNU/Linux buster/sid
If you want to improve the UX without exposing the user, I recommend the following:
Edit by @LNJ2:
- Don't automatically accept subscription requests
- Ask the user for accepting the requests