Smack XMPP library is vulnerable to man-in-the-middle (MitM) attacks. This is because the security of the TLS connection is not always enforced, making it vulnerable to MitM. By stripping the “starttls” feature from the server response with a man-in-the-middle tool, an attacker can force the client to authenticate in clear text even if the “SecurityMode.required” TLS setting has been set. Note this is a race condition issue, so the attack works after a few tries.
seclists.org/oss-sec/2016/q4/716
www.openwall.com/lists/oss-security/2016/12/22/12
www.securityfocus.com/bid/95129
community.igniterealtime.org/blogs/ignite/2016/11/22/smack-security-advisory-2016-11-22
github.com/igniterealtime/Smack/commit/059ee99ba0d5ff7758829acf5a9aeede09ec820b
github.com/igniterealtime/Smack/commit/a9d5cd4a611f47123f9561bc5a81a4555fe7cb04
issues.igniterealtime.org/browse/SMACK-739
issues.igniterealtime.org/projects/SMACK/issues/SMACK-739
lists.fedoraproject.org/archives/list/[email protected]/message/J4WXAZ4JVJXHMEDDXJVWJHPVBF5QCTZF/