Researchers Discover Wiretapping in XMPP-Based Instant Messaging Service

Oct 28, 2023NewsroomPrivacy / Data Security

XMPP Instant Messaging Service

The new findings shed light on what is said to be a legal attempt to covertly intercept traffic originating from jabber(.)ru (aka xmpp(.)ru), a XMPP-based instant messaging service, through servers hosted by Hetzner and Linode (a subsidiary of Akamai) in Germany.

“The attacker issued many new TLS certificates using the Let’s Encrypt service used to hijack encrypted. STARTTLS connections on port 5222 using a transparent (man-in-the-middle) proxy,” a security researcher with the alias ValdikSS SAYS earlier this week.

“The attack was discovered due to the expiration of one of the MiTM certificates, which has not yet been reissued.”


The evidence gathered so far points to traffic redirection configured in the hosting provider’s network, ruling out other possibilities, such as a server breach or a spoofing attack.

The wiretapping is estimated to have lasted for six months, from April 18 to October 19, although it has been confirmed to have taken place since at least July 21, 2023, and until October 19, 2023.

Signs of suspicious activity were first detected on October 16, 2023, when one of the service’s UNIX administrators received a “Certificate Expired” message when connecting to it.

The actor’s threat is believed to have stopped the event after the investigation into the MiTM incident began on October 18, 2023. It was not immediately clear who was behind the attack, but it is suspected to be a case of legal interception based on the request of the German police. . .

Another hypothesis, although unlikely but not impossible, is that the MiTM attack is an intrusion into the internal networks of Hetzner and Linode, specifically singing jabber(.)ru.

“Due to the nature of the interception, the attackers were able to execute any action as if it were executed from the authorized account, without knowing the password of the account,” the researcher said.


“This means the attacker can download the account roster, lifetime unencrypted message history on the server side, send new messages or modify them in real time.”

Hacker News has reached out to Akamai and Hetzner for further comment, and we’ll update the story when we hear back.

The users of the service are recommended to assume that their communications in the past 90 days have been compromised, as well as “check their accounts for new unauthorized OMEMO and PGP keys in their PEP storage, and change passwords. “

Did you find this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Leave a comment