2 min read

Matrix Releases Updates to Patch Critical End-to-end Encryption Vulnerabilities

Vlad CONSTANTINESCU

September 30, 2022

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
Matrix Releases Updates to Patch Critical End-to-end Encryption Vulnerabilities

Decentralized communication platform Matrix issued a warning about end-to-end encryption vulnerabilities in some of its software development kits (SDKs).

Matrix is a decentralized, interoperable open standard for real-time IP-based communication. The flawed SDKs affect several clients based on matrix-js-sdk, matrix-ios-sdk, or matrix-android-sdk2, including Beeper, Element, SchildChat, Cinny, Synod.im and Circuli.

“If you're using Element or an application that shares the same SDKs (Beeper, Cinny, SchildiChat, Circuli, Synod.im) then please upgrade now,” reads Matrix’s security advisory. “Do not perform verification with new devices until you have upgraded.”

Two of the flaws were flagged as high severity due to the viciousness of the attack scenarios they could allow:

  • “Key/Device Identifier Confusion in SAS Verification”(CVE-2022-39250) – matrix-js-sdk vulnerability, leads to mix-ups between cross-signing keys and device IDs
  • “Trusted Impersonation” CVE-2022-39251(matrix-js-sdk), CVE-2022-39255 (matrix-ios-sdk) and CVE-2022-39248(matrix-android-sdk2)–protocol confusion bug that could trigger the service to accept rogue to-device messages

Matrix’s advisory also covered lower-severity issues that would allow easily avoidable or purely hypothetical attacks. Combined, the flaws could let threat actors running malicious servers unleash a flurry of attacks against their users, including:

  • Breaking emoji-based verification to hijack authentication attempts
  • Impersonating trusted senders of to-device messages
  • Exfiltrating message keys by adding malicious key backups to the user account
  • Faking encrypted messages to make them appear as if they were sent from a specific user
  • Extracting encryption private keys by observing encryption and decryption operation results
  • Linking malicious devices to user accounts or inviting malicious users into conversations

Despite the severity of the scenarios, Matrix claims the vulnerabilities should be no cause for concern, as there’s no sign of them being exploited in attacks in the wild. However, the company still urges users to apply the latest update immediately to avoid security risks.

“These have now been fixed, and we have not seen evidence of them being exploited in the wild,” according to Matrix’s security advisory. “All of the critical vulnerabilities require cooperation from a malicious home server to be exploited. Please upgrade immediately in order to be protected against these vulnerabilities.”

tags


Author



Right now

Top posts

Enhance your cyber resilience and privacy on Computer Security Day in four easy steps

Enhance your cyber resilience and privacy on Computer Security Day in four easy steps

November 29, 2022

2 min read
How to monitor your online privacy during your Thanksgiving trip

How to monitor your online privacy during your Thanksgiving trip

November 22, 2022

3 min read
Just your yearly dose of Black Friday spam: Cybercrooks get ahead of the game to steal shoppers’ info

Just your yearly dose of Black Friday spam: Cybercrooks get ahead of the game to steal shoppers’ info

November 16, 2022

6 min read
Bitdefender VPN in 2022: the new, the improved, and the soon-to-be

Bitdefender VPN in 2022: the new, the improved, and the soon-to-be

November 14, 2022

5 min read
Cyber Tips for a Spook-Free Halloween

Cyber Tips for a Spook-Free Halloween

October 26, 2022

3 min read
August Spam Debrief: Bitdefender Labs Warns of Fraud Campaigns Exploiting the Russia-Ukraine War

August Spam Debrief: Bitdefender Labs Warns of Fraud Campaigns Exploiting the Russia-Ukraine War

August 31, 2022

4 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Royal Ransomware Launches Attacks on US Healthcare Organizations, Government Warns Royal Ransomware Launches Attacks on US Healthcare Organizations, Government Warns
Vlad CONSTANTINESCU

December 09, 2022

2 min read
North Korean APT Group Exploits Internet Explorer Zero-Day Flaw, Google Warns North Korean APT Group Exploits Internet Explorer Zero-Day Flaw, Google Warns
Vlad CONSTANTINESCU

December 08, 2022

2 min read
Medibank Goes Offline to Rebuild Cyber Defenses in Wake of October Hack Medibank Goes Offline to Rebuild Cyber Defenses in Wake of October Hack
Filip TRUȚĂ

December 08, 2022

2 min read