Implementation bug discovered in certain clients and libraries
A critical vulnerability in certain Matrix clients could allow an attacker access to encrypted messages.
Users of the open source, decentralized communications platform are urged to update their systems after a serious implementation bug was found in its end-to-end encryption.
The issue, tracked as CVE-2021-40823 and CVE-2021-40824, is due to a logic error in the room key sharing functionality of Matrix.
It allows a malicious Matrix homeserver present in an encrypted room to steal room encryption keys (via crafted Matrix protocol messages) that were originally sent by affected Matrix clients participating in that room.
Read more of the latest security vulnerability news
This means that an attacker can decrypt end-to-end encrypted messages sent by vulnerable clients.
The vulnerability affects multiple Matrix clients and libraries including Element (Web/Desktop/Android), FluffyChat, Nheko, Cinny, and SchildiChat. Element on iOS is not affected.
Implementation issues
In an advisory from the Matrix Foundation, it revealed that the vulnerability was discovered during a routine audit by one of its researchers.
It reads: “Exploiting this vulnerability to read encrypted messages requires gaining control over the recipient’s account. This requires either compromising their credentials directly or compromising their homeserver.
“Thus, the greatest risk is to users who are in encrypted rooms containing malicious servers. Admins of malicious servers could attempt to impersonate their users’ devices in order to spy on messages sent by vulnerable clients in that room.”
RELATED Enter the Matrix: Secure communications network hits 30 million user milestone
The Matrix Foundation stressed that the issue is not due to a flaw in the Matrix or Olm/Megolm protocols, nor the libolm implementation, but in certain Matrix clients and SDKs which support end-to-encryption.
Users are urged to update to the latest versions immediately. A list of affected software can be found in the release.
The company said it apologizes “sincerely” for any inconvenience caused.
READ Intigriti launches EU-backed bug bounty program for Matrix secure communications tool