I2P-Bote 0.4.4 fixes a security vulnerability present in all earlier versions of the I2P-Bote plugin. The Android app was not affected.

A lack of CSRF protection meant that if a user was running I2P-Bote and then loaded a malicious site in a browser with JavaScript enabled, the adversary could trigger actions in I2P-Bote on behalf of the user, such as sending messages. This might also have enabled extraction of private keys for I2P-Bote addresses, however no proof-of-exploit was tested for this.

All I2P-Bote users will be upgraded automatically the first time they restart their router after I2P 0.9.28 is released in mid-December. However, for safety we recommend that you follow the instructions on the installation page to upgrade manually if you plan on using I2P or I2P-Bote in the intervening time. You should also consider generating new I2P-Bote addresses if you regularly browse sites with JavaScript enabled while running I2P-Bote.