iOS 7 meeting request hijacking

November 11, 2013 by Sebastian   Comments (0)

, , , ,

Hello all,

in the last weeks we had several reports that using iOS 7, an issue, which iOS presented last year, came back. It is the so called "Meeting organizer hijacking" bug. It means that a meeting attendee suddenly turns into the meeting organizer and is able to send updates and cancellations to the other attendees.
The original issue was caused by iOS 6. You can read all about it on the Zarafa technical blog:

This time iOS 7 is also not totally faultless, but we have to admit, that the unexpected result is caused by a fix introduced in Z-Push 2.0.8, ticket ZP-436.

Some months ago we had reports that if an user creates a meeting request on a mobile phone, the Zarafa Webapp lacks the tracking tab. This tab is used by the meeting organizer to see if an attendee accepted, tentatively accepted or declined a meeting request. The issue was narrowed down to two missing properties which Z-Push did not set correctly at the time, the meeting and response status(PT_LONG:PSETID_Appointment:0x8217 and 0x8218). Both MAPI properties are used to determine who has organized a meeting and the respective response statuses of the attendees. For the meeting organizer, aka the user who created this meeting request on his mobile, this means, that the response status needs to be set to "olResponseOrganized" indicating that this user owns the meeting.

This was fixed and released in Z-Push 2.0.8.

One important thing to say: normally (via ActiveSync) mobiles can only update appointments made by the user himself or meeting requests organized by the user. In both cases the user is able to change and set these properties along with all others (times, descriptions etc). If the mobile user is "just an attendee", the only executable actions are to "accept", "tentatively accept" and "decline" which are then also handled by another ActiveSync command - the "MeetingResponse". To resume, if the mobile user is only an attendee of a meeting, he is not able to update a meeting itself, so he can not change time, subject, location or any other property.

Then iOS 7 was released and the story changed. While we were debugging the issue on a customer system, we could observe that iOS 7 immediately synchronizes the data of a newly received meeting request back to the server, without applying any modifications. After receiving the meeting request it was just sending the same data back as change to the server. While this should normally not be a big issue (at the end the data was unchanged), it conflicts with the fix introduced for the tracking tab issue. With iOS 7 the attendee was suddenly able to write and with that modify a meeting request from his mobile phone. The actual data was not changed, but Z-Push did update the meeting and response status to wrong values. This way the meeting and response status did indicate that this user is the organizer of the meeting. This was limited to the users store and did not have huge side effects like original hijacking issue of iOS 6 as no updates were sent to the other attendees.

Still, the an iOS 7 attendee also using Outlook was suddenly presented as organizer to himself.

We fixed this issue now, by making sure that these properties are only set, if no other organizing information is available on the server, which applies especially for new meetings created on the mobile phone.

Next steps

If you use Z-Push 2.0.8 and have iOS 7 devices in your organization, we strongly recommend to update to this new release. The fix is also available in the released from last week, Z-Push 2.0.9 beta and 2.1.1 beta. For users which already have broken meetings in their calendars, there is a Python script to fix these. It has to be executed by the Zarafa system administrator and is available for download here.

While this issue only affects a limited amount of users, their percentage is growing with the constantly updated devices. This is why we decided to release this update as final immediately.

We sincerely ask for your comprehension.

Sebastian (Z-Push dev team)