powered by Jive Software

Users can access other user's message history

Hello,

I hope I’m just doing something very wrong here.

We’re using Openfire for years (currently 3.8.2, Debian server), with Spark and Psi desktop clients.

I have message archiving enabled, and users can see their own conversations history on the clients.

Well, I just installed an android xmpp client in some user’s phones, and one of them found out that selecting a user in the roster opens that user’s history of messages, sent to ANYONE. Not broadcast nor group messages. Everything sent through that user’s spark client.

Even if that is a bug in the android client, I’d expect the openfire server not to provide that information. The android client is logged as a standard user, not the admin.

Is this right? Did I miss some essential config option in the server? This does not happen with the desktop clients, and it is a major concern for me, as as soon as other users find out, there will be no secrets left…

Thanks,

Joao

Ok, sorry, I jumped the gun out of panic (I was on the way to a long presentation when the user showed me his phone with the history of messages not related to him, and I posted from the coffee break).

Now that I checked myself, I see that the other user’s message shown are all OLD ones; around 2009 - 2010, and not ALL messages in that period (or the history shown would be much larger). They are random messages addressed to someone else from the other user, along with actual messages exchanged with the current user.

So either something went wrong in that period, archiving some messages in a way they are now “public”, or some weird database corruption made them visible to anyone. I cannot recall when I migrated the native database to MySql, but it may well be around then, so something in the migration could have messed with the archive.

Now, is there a way for me to make those messages “private” again without simply deleting all messages from that period? Is there a specific table/field related to which archived messages can be shown to whom?

Thanks again,

Joao

More information: Those old, and other-user messages are the only one the android client (XAbber) can see in the server message history. New messages, even sent/received from it, although archived and visible in the server, do not show in the client, nor in the PC’s Spark clients.

Joao

Allright, updated Openfire to 3.9.3 and monitoring service to 1.4.2, and the old, other-user messages disappeared from the android Xabber clients.

Thanks,

Joao