Recently the open source Matrix messenger protocol published security warnings on its platform about two critical-severity vulnerabilities that affect the end-to-end encryption in the software development kit (SDK).
As per the warning statement, the groups of malicious actors are exploiting these vulnerabilities that could break the confidentiality of Matrix communications. The vulnerabilities also allow the threat actors to run man-in-the-middle attacks that expose message contents in a readable form.
According to the technical data, the users who were using the matrix-js-sdk, matrix-android-sdk2, and matrix-ios-sdk, like Element, Cinny, SchildiChat, Beeper, Circuli, and Synod.im have been hit by the bugs.
However, the platform clarified that clients using a different encryption implementation such as Hydrogen, Nheko, ElementX, FluffyChat, Timmy, Syphon, Gomuks, Pantalaimon) are safe from the attacks.
The vulnerabilities were reported to Matrix by the researchers of Brave Software, the University of Sheffield, and the Royal Holloway University in London. The group published the technical details of the research findings.
List of the critical severity flaws discovered by the team
- CVE-2022-39255: Same as CVE-2022-39251 but impacting matrix-ios-sdk (iOS clients).
- CVE-2022-39251: Protocol-confusion bug in matrix-js-sdk, leading to incorrectly accepting messages from a spoofed sender, possibly impersonating a trusted sender.
The same flaw makes it possible for malicious home server admins to add backup keys to the target’s account.
- CVE-2022-39250: Key/Device identifier confusion in SAS verification on matrix-js-sdk, enabling a malicious server administrator to break emoji-based verification when cross-signing is used, authenticating themselves instead of the target user.
- CVE-2022-39257: Same as CVE-2022-39249 but impacting matrix-ios-sdk (iOS clients).
- CVE-2022-39248: Same as CVE-2022-39251 but impacting matrix-android-sdk2 (Android clients).
Read the full article here