Connect with us

Hi, what are you looking for?

Hard News Hard Hitting News Source Global Political News

Cyber Security

Critical encryption vulnerability found in secure communications platform Matrix

A critical vulnerability in certain Matrix clients could allow an attacker access to encrypted messages.

Users of the open source, decentralized communications platform are urged to update their systems after a serious implementation bug was found in its end-to-end encryption.

The issue, tracked as CVE-2021-40823 and CVE-2021-40824, is due to a logic error in the room key sharing functionality of Matrix.

It allows a malicious Matrix homeserver present in an encrypted room to steal room encryption keys (via crafted Matrix protocol messages) that were originally sent by affected Matrix clients participating in that room.

This means that an attacker can decrypt end-to-end encrypted messages sent by vulnerable clients.

The vulnerability affects multiple Matrix clients and libraries including Element (Web/Desktop/Android), FluffyChat, Nheko, Cinny, and SchildiChat. Element on iOS is not affected.

Implementation issues

In an advisory, the platform’s parent company, Element, said that the vulnerability was discovered during a routine audit by one of its researchers.

It reads: “Exploiting this vulnerability to read encrypted messages requires gaining control over the recipient’s account. This requires either compromising their credentials directly or compromising their homeserver.

“Thus, the greatest risk is to users who are in encrypted rooms containing malicious servers. Admins of malicious servers could attempt to impersonate their users’ devices in order to spy on messages sent by vulnerable clients in that room.”

Element stressed that the issue is not due to a flaw in the Matrix or Olm/Megolm protocols, nor the libolm implementation, but in certain Matrix clients and SDKs which support end-to-encryption.

Users are urged to update to the latest versions immediately. A list of affected software can be found in the release.

The company said it apologizes “sincerely” for any inconvenience caused.

Source: https://portswigger.net/daily-swig/critical-encryption-vulnerability-found-in-secure-communications-platform-matrix

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like

Cyber Security

Google has announced the first open-source quantum resilient FIDO2 security key implementation, which uses a unique ECC/Dilithium hybrid signature schema co-created with ETH Zurich....

Cyber Security

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has given federal agencies three weeks to secure Adobe ColdFusion servers on their networks against two...

Cyber Security

Businesses and developers are focusing more on the security of applications in their digital environment as cyber threats and data breaches continue escalating. The...

Cyber Security

HCL BigFix is an endpoint management platform that has the capability to automate discovery, management, and remediation. It can find and fix vulnerabilities on...

Copyright © 2023 Hard News Herd Hitting in Your Face News Source | World News | Breaking News | US News | Political News Website by Top Search SEO