Bug 351098

Summary: Unpair requests can be spoofed from any device
Product: [Applications] kdeconnect Reporter: Lennart Grahl <lennart.grahl>
Component: commonAssignee: Albert Vaca Cintora <albertvaka>
Status: RESOLVED FIXED    
Severity: normal CC: nicolas.fella
Priority: NOR    
Version First Reported In: unspecified   
Target Milestone: ---   
Platform: Other   
OS: All   
Latest Commit: Version Fixed/Implemented In:
Sentry Crash Report:

Description Lennart Grahl 2015-08-08 22:15:22 UTC 
I'm currently writing an alternative implementation of KDE connect in Python. While going through the code, one thing that catched my attention was that `pair` type messages with `pair` set to `False` (essentially an unpair request) have no challenge or any other sort of mechanism that would prevent other devices from spoofing an unpair request. Has this just been overlooked or is there a specific reason for allowing this?

Reproducible: Always
Comment 1 Albert Vaca Cintora 2015-08-16 01:18:23 UTC 
This is indeed a code bug and a security problem. We are working on a re-write of the pairing and encryption code, so we will include a fix for this in the new code. Thanks!