Security News > 2022 > September > Matrix chat encryption sunk by five now-patched holes

Four security researchers have identified five cryptographic vulnerabilities in code libraries that can be exploited to undermine Matrix encrypted chat clients.

"Our perspective is that these attacks together show a rich attack surface in Matrix from both a protocol and implementation perspective," Benjamin Dowling, a lecturer in cybersecurity, told The Register this week.

"While Matrix has performed security audits of the various existing implementations, they sometimes fail to catch attacks that are present due to protocol flaws. Formally modeling the protocol and analyzing the security of the protocol design is an important step in catching and thus preventing attacks of this nature."

The attacks - two critical and three lower priority - target implementations of Matrix in the matrix-react-sdk, matrix-js-sdk, and matrix-android-sdk2 libraries, and they affect client software that incorporates such code, such as Element, Beeper, Cinny, SchildiChat, Circuli, and Synod.

On Wednesday, The Matrix.org Foundation, which manages the decentralized communication protocol, issued an advisory describing the flaws as vulnerabilities in Matrix end-to-end encryption code, and directed users of vulnerable apps and libraries to upgrade them.

"The longer term plans communicated to us by the Matrix developers should then provide full protection against our attacks."

News URL

https://go.theregister.com/feed/www.theregister.com/2022/09/28/matrix_encryption_flaws/