Now, just submitting that they were missing a origin-validation is not fun at all and would likely not show them the true severity of the issue.
I had to come up with a better exploit scenario by looking through the code.
The bot knows about several privileges that a user must have to do several kinds of actions.
To make the bot recognize a TS user as a bot user, you can bind a TS account to a bot account on the Edit user page.
At this time Jarkko realized that the rest of the BBS features probably wouldn't fit in his program. This should cause A to send the group-info to B again. What if A stays the 'group leader' and C sends the message to B? Correct me if I'm wrong, but there should be no such thing as a "group leader"? Also, a device could for some reason (restoring an old Titanium Backup or something like that) forget a group, but not the key. Your concern is that group members may forward wrong/outdated information to B?I've had this problem quite a few times myself, some solution to this would be nice. I think it could be done easier (async, without first requesting the group info): When A tries to send the message to the group and has to verify the new identity, A knows the key of B changed. I have a phone with kitkat and same thing, unnamed, can't rename or respond.For this part of the series we are going to focus in start creating sign in/up & chat rooms sections for our mobile application.I don’t think we can finish the project example in this post so I’m estimating that I will be publishing at least 1 more post next week.