Daniel Gultsch discovered in Gajim, an XMPP/jabber client. Gajim didn"t verify the origin of roster update, allowing an attacker to spoof them and potentially allowing her to intercept messages.