Security News > 2021 > September > How a glitch in the Matrix led to apps potentially exposing encrypted chats

The Matrix.org Foundation, which oversees the Matrix decentralized communication protocol, said on Monday multiple Matrix clients and libraries contain a vulnerability that can potentially be abused to expose encrypted messages.

The organization said a blunder in an implementation of the Matrix key sharing scheme - designed to allow a user's newly logged-in device to obtain the keys to decrypt old messages - led to the creation of client code that fails to adequately verify device identity.

Specifically, a paragraph in Matrix E2EE Implementation Guide, which described the desired key handling routine, was followed in the creation of Matrix's original matrix-js-sdk code.

Matrix's key-sharing scheme was added in 2016 as a way to let a Matrix client app ask a message recipient's other devices or the sender's originating device for the keys to decrypt past messages.

The foundation said it intends to review the key sharing documentation and to revise it to make it clearer how to implement key sharing in a safe way.

The group also said it will revisit whether key sharing is really necessary in the Matrix protocol and will focus on making matrix-rust-sdk a portable reference implementation of the Matrix protocol, so other libraries don't have to reimplement logic that has proven to be difficult to do properly.

News URL

https://go.theregister.com/feed/www.theregister.com/2021/09/13/matrix_foundation_implementation_bug/