1. example.lit connects to foo.example.lit claiming to be prosody.lit on the initial stream header 2. foo.example.lit offers dialback and stream ID "abc" 3. example.lit triggers a connection from prosody.lit to example.lit 4. example.lit offers dialback and stream ID "abcfoo." 5. prosody.lit generates SHA256("abcfoo.example.litprosody.litb97b59cd-f9f8-4d5e-b43f-96107303c30e") as dialback key: https://hg.prosody.im/0.9/file/0386ccf20ac7/plugins/mod_dialback.lua#l22 6. example.lit forwards this dialback key to foo.example.lit 7. foo.example.lit connects back to prosody.lit 8. prosody.lit says the key is valid 9. example.lit is now authorized to send messages to foo.example.lit pretending to be from prosody.lit The target domain doesn't strictly need to subdomain, just a suffix: alice.example.lit could be impersonated by lice.example.lit. This is pretty common for things like no-ip.org. The problem is the lack of separation of the different fields in generate_dialback(). XEP-0185 fixes this by requiring spaces between the different parts. https://hg.prosody.im/0.10/rev/dd8265ca9327 implemented that, but only for 0.10+.

• owner MattJ
• tags Status-Fixed

Fixed in 5c6e78dc1864.

• tags Hidden