[tor-bugs] #17833 [Tor Messenger]: Two contacts ! dangerously ! merging as one

Tor Bug Tracker & Wiki blackhole at torproject.org
Sat Dec 12 17:15:09 UTC 2015 

#17833: Two contacts ! dangerously ! merging as one
----------------------------+----------------------------------------------
     Reporter:              |      Owner:
  cypherpunks               |     Status:  new
         Type:  defect      |  Milestone:
     Priority:  Very High   |    Version:  Tor: unspecified
    Component:  Tor         |   Keywords:  XMPP, Messenger, accounts, merge
  Messenger                 |  Parent ID:
     Severity:  Critical    |    Sponsor:
Actual Points:              |
       Points:              |
----------------------------+----------------------------------------------
 Received a message apparently coming from PERSON A. From the very first
 line it became obvious that I was not communicating with a PERSON A but
 with someone else, I then quit Tor Messenger at once. Past initial
 confusion I contacted PERSON A via alternative channel to confirm that
 they did not send this message.

 When I started Tor Messenger again, a new conversation was initiated,
 apparently by PERSON A, but this time, after the message, Tor Messenger
 displayed the following (see screenshot wtf2.png):
 "
 - The current conversation is private bu *PERSON B*'s identity has not
 been verified.
 - The conversation will continue with PERSON A, using XMPP
 - Private conversation with PERSON A started. However, their identity has
 not been verified.
 "

 However, despite this, I was still talking with PERSON B. Please note that
 contact with PERSON B was already supposed to be (unverified) in my
 contact list at that time, but somehow has disappeared from it.

 Confusing, isn't it? :)

 I tried to understand a bit of what was happening, and as seen on
 screenshot "wtf5.png", upon hovering over PERSON A's account icon, 2
 accounts are now listed: "(unverified) PERSON A" and "(verified) PERSON
 A".

 Upon clicking "(unverified) PERSON A" it is now clear that I actually open
 a conversation with PERSON B, as, when i try to verify this person's
 identity, a popup mentions (see screenshot "wtf.png") "verify PERSON B",
 while staying empty of any interface elements to verify it...

 It appears that PERSON A and PERSON B are somehow merged into PERSON A's
 conversation window.

 This could lead to very dangerous confusion... I hope this helps to
 further identify the source of the bug.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/17833>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list