#1162 MUC: discloses list of members of members-only and password-protected rooms by default
Type: Information Disclosure.
What steps will reproduce the problem?
1. Create a room.
2. Set it to members only.
3. Use another JID to query disco#items of that room.
What is the expected output?
forbidden, not-authorized or another error. Unfortunately, XEP-0045 mandates to return an empty list instead (§6.5):
> If the list of occupants is private, the room MUST return an empty <query/> element, in accordance with XEP-0030.
What do you see instead?
The list of nicknames currently joined into the room.
What version of the product are you using? On what operating system?
0.9.x, 0.10.x, trunk.
XEP-0045 also says:
> An implementation MAY return a list of existing occupants if that information is publicly available, or return no list at all if this information is kept private. Implementations and deployments are advised to turn off such information sharing by default.
So this is not strictly a violation of XEP-0045, but it isn’t great either.
FWIW, I’m not sure a security issue for this is 100% warranted, but better safe than sorry.