[Telepathy] Showing actual image in chat window

Simon McVittie simon.mcvittie at collabora.co.uk
Wed Jun 27 03:53:57 PDT 2012


On 27/06/12 10:56, Mithun Shitole wrote:
> Thanks for the suggestion. I have successfully modified a adium theme
> to show images.
[...]
> Are there any security concerns with this approach?

I'm concerned about the privacy implications of this feature. If the
owner of example.com wants to find out whether/when you are online, they
can send you an IM containing a unique image URL, perhaps something like
this:

    http://example.com/track/f8177982-3da3-4936-886d-bd8c84dce6f9.jpg

and then consult the example.com server logs to find out whether/when
Empathy retrieves that URL. For maximum evil, the image it served would
be a 1x1 pixel transparent GIF or PNG, and the text of the message would
look like something innocent (either a message sent to the wrong
recipient by mistake, or spam).

To do this, they do not need to be on your contact list or otherwise
have your permission.

This would be partially addressed by only showing the image inline if
the message's sender has been given permission to see your presence
(publish = Yes on the ContactList interface).

There are also potential security implications if the image-loading
library has an exploitable bug (although that would normally be
considered to be a security bug anyway), or if dereferencing the URL
causes code execution or side-effects. For instance, you don't want to
display a "javascript:" URL, and you might not want to display this:

    https://broken.example.org/delete-all-data.php?confirm=yes&x=.jpg

(Admittedly, that site is already broken if it contravenes the HTTP spec
by giving a HTTP GET "unsafe" side-effects, because of e.g. prefetching.)

    S


More information about the telepathy mailing list