XEP-0146 makes it possible to extract plain-text from OTR sessions
I'm using Gajim nightlies and the Gajim OTR plugin coming from the repositories, also updated to the latest versions (automatically). I'm making my tests on Linux, for what is worth.
The problem I'm exposing seems to already be known by a few users and developers. If you agree with what I'm saying and we share the same concerns I think it's time to address the problem once and for all.
XEP-0146 - Remote Controlling Clients. Still implemented in Gajim.
Briefly, this enables an XMPP client logged on to an account to connect to another client logged on to the same account, another valid XMPP resource for the same user, and interact with it for different purposes. One of the options is to have your remote client forward unread messages to the one at hand. So far, nothing sounds too worrying. But today there's a lot to be concerned about.
By keeping XEP-0146 implemented in Gajim you're exposing users to a security threat as bad as follows:
when users use OTR and I query Gajim from - say - Pidgin I get a PLAIN-TEXT copy of the unread messages over the wire, as the client forwards them as it knows them, decoded. While this makes it sound like a useful feature there's something that seems to have been underestimated for way too long.
XMPP prevents a logged user to spoof XML stanzas sender's header. However the server administrator, by protocol design (please correct me if I'm mistaken), could forge legal XMPP stanzas instead. If that is true any server owner could trick their users' Gajim into forwarding unread messages to them! And this means now they can download PLAIN-TEXT COPIES of OTR-ENCRYPTED SESSIONS anytime on demand from about any Gajim client logged to their server!
As a user I tried to look for a solution myself by disabling the remote_control entry in the advanced configuration panel, sadly to no avail. I can still find those Gajim-interaction options in Pidgin's commands for my account. So it seems there's nothing we can possibly do on our side to prevent this from happening and that's why I'm issuing this bug to you.
I don't know for sure if the same applies to other clients, which is possible. I personally could only observe this when using Gajim.