When I know an XMPP ID (something like [phonenumber]#s.whatsapp.net) what else do I need to send a WhatsApp message?
you will also need a password, which may be a md5 hash, you will need to reverse the md5 Hash in, every xmpp account has a username and a password
Related
My web app has a pretty standard feature that allows a user who forgot their password to reset it by sending themselves a password reset email with a link to the page to create a new password.
I'm concerned that person1 could use this page to harass person2 by claiming to need a password reset email, but giving the email address of person2, and automate this with a bot, sending massive numbers of emails to person2. It wouldn't reveal any secrets, but it could be very annoying, even a DoS on their inbox, and my application would get the blame.
I understand that I can throttle the api call that sends the email, but how? The user making the api call can't be authenticated, because if they were logged in, they wouldn't need the reset. And if the api call is open, then there's no way to validate the caller, because any general request information (like IP) can be spoofed (or sent through a proxy server).
If I throttle that api call globally, then legitimate users might get locked out if a large number of them just happened to use the feature at the same time.
How do you deal with a situation like this?
Throttle how many mails you will send to the same email address, regardless of how they're requested. This doesn't require you to throttle how many resets you will handle in total; just per address.
I have to research the user reactions to an incoming phishing mail.
Therefore i'm trying to track if a user opened an e-mail. I'm using an Exchange Server and have complete access to the logfiles. I want to use the imap flags (/Seen, /Answered etc.) to get this information.
My problem is, that i can't connect my imap log to a message-id or something different unique identifier.
Here an example of the imap log
2019-07-26T19:01:47.641Z,000000000000001B,15,[fe80::1435:3fe7:d31e:230f%14]:1993,[fe80::1435:3fe7:d31e:230f%14]:22505,alicetracker,1,24,57,uid+fetch,fetch 2:* (FLAGS),"R=OK;Rows=1;UidValidity=14;UidNext=2;ActivityContextData=Dbl:BudgUse.T[]=0.945299983024597;Budget=""Owner:Sid~S-1-5-21-2443813523-3910580689-2609561915-1147~Imap~false,Conn:1,MaxConn:Unlimited,MaxBurst:3600000,Balance:3600000,Cutoff:Unlimited,RechargeRate:600000,Policy:GlobalThrottlingPolicy_6ead7ca9-720e-4f9c-8a7c-eaaf9fd5866e,IsServiceAccount:False,LiveTime:00:07:08.8466978""",
Is there any way to manipulate the Exchange-Server that i can use the imap-logs for that issue?
Thanks!
MSN messenger (windoze live connect or whatever they call it nowadays) over XMPP doesn't use the actual email addresses for buddy JIDs, but somekindofhashes#messenger.live.com
These hashes can be looked up using getjid, but I am wondering if anybody knows how they are actually calculated.
there is no way to calculate them for security reason. The GetJid stuff is the only way to lookup them.
we usually send some verification link into email when users registered to verify users email.
The link may look similar to
http://www.example.com/register.php?id=12832&&unique_number=ij86435232as
it means that we have to store this unique number in our database to verify users identity.
I'm thinking that if we send user password into his email and tell them that
check your email , we sent your username and password
Because now we don't have to save additional unique number in our database , we are saving memory
so my question is that, is that anything wrong for this approach .
If you want your application to be considered secure, it's not wise to send plain-text passwords out via e-mail.
The amount of storage required to hold your unique number is trivial in the extreme, so I'd continue to do that.
I'm building a system that allows people to submit text and photos via email in addition to standard access on the website. I'm trying to weight the security advantages of two strategies in particular for verifying submissions from a user. Here they are as follows:
To based auth: Create a secret email address per user and present this to the user for submission. This strategy has the advantage that people can send from multiple devices that might be setup with different mail accounts
From based auth: Only accept emails from addresses that are registered in the user database. The idea being that it is impractical/difficult to impersonate registered users based on the sending address.
Can you think of other possible solutions? Which strategy of the ones proposed makes the most sense to you?
I would suggest that you not use From based authentication, at least not without some additional credentials (a passphrase, etc)
It's way too easy to forge, and certainly not difficult if you know someone's email address.
If you echo the email back to the user for confirmation, you can make things a little more difficult, but realize that your service can end up being used as a sort of spamming relay. (I could send 100 upload requests to you, with a forged FROM address, and you'd go ahead and spam the real person with 100 confirmation requests)
The better option is to check the registered email address but add the need for a code within the email subject known to the user. This way if they forge the email from address, they would still need a key to authenticate the incoming email.
I would go with "from" + confirmation, to avoid forging.
I.e. receive the email, but send a response with auth token in the subject line (or in the body) back to the "from" address. The user either will need reply, or click a link to confirm the submission.
And you post the content only after confirmation.