Search This Blog

A Matrix Update Patches Serious End-to-End Encryption Flaws

Technical data shows clients were using the matrix-js-sdk, matrix-android-sdk2, and matrix-ios-sdk, hit by the bugs, rest are safe.
Recently the open source Matrix messenger protocol published security warnings on its platform about two critical-severity vulnerabilities that affect the end-to-end encryption in the software development kit (SDK). 

As per the warning statement, the groups of malicious actors are exploiting these vulnerabilities that could break the confidentiality of Matrix communications. The vulnerabilities also allow the threat actors to run man-in-the-middle attacks that expose message contents in a readable form. 

According to the technical data, the users who were using the matrix-js-sdk, matrix-android-sdk2, and matrix-ios-sdk, like Element, Cinny, SchildiChat, Beeper, Circuli, and have been hit by the bugs. However, the platform clarified that clients using a different encryption implementation such as Hydrogen, Nheko, ElementX, FluffyChat, Timmy, Syphon, Gomuks, Pantalaimon) are safe from the attacks. 

The vulnerabilities were reported to Matrix by the researchers of Brave Software, the University of Sheffield, and the Royal Holloway University in London. The group published the technical details of the research findings. 

List of the critical severity flaws discovered by the team

  • CVE-2022-39255: Same as CVE-2022-39251 but impacting matrix-ios-sdk (iOS clients). 
  • CVE-2022-39251: Protocol-confusion bug in matrix-js-sdk, leading to incorrectly accepting messages from a spoofed sender, possibly impersonating a trusted sender. 

The same flaw makes it possible for malicious home server admins to add backup keys to the target's account. 

  • CVE-2022-39250: Key/Device identifier confusion in SAS verification on matrix-js-sdk, enabling a malicious server administrator to break emoji-based verification when cross-signing is used, authenticating themselves instead of the target user.
  • CVE-2022-39257: Same as CVE-2022-39249 but impacting matrix-ios-sdk (iOS clients).
  • CVE-2022-39248: Same as CVE-2022-39251 but impacting matrix-android-sdk2 (Android clients). 
  • CVE-2022-39249: Semi-trusted impersonation problem in matrix-js-sdk leading to accepting keys forwarded without request, making impersonation of other users in the server possible. Clients mark these messages as suspicious on the recipient's end,  thus dropping the severity of the bug. 
  • CVE-2022-39246: Same as CVE-2022-39249 but impacting matrix-android-sdk2 (Android clients). 
Furthermore, the report detailing listed two problems that are yet to receive an identification number. One of these problems allows malicious actors access to the home server and the second refers to using AES-CTR. 

Share it:

Cyber flaws

cyber incident

Cyber Vulnerabilities

Data theft extortion



Vulnerabilities and Exploits