Security News > 2022 > September > Matrix: Install security update to fix end-to-end encryption flaws
Matrix decentralized communication platform has published a security warning about two critical-severity vulnerabilities that affect the end-to-end encryption in the software development kit.
A threat actor exploiting these flaws could break the confidentiality of Matrix communications and run man-in-the-middle attacks that expose message contents in a readable form.
Matrix's announcement claims that exploiting the flaws is not an easy task and that they have seen no evidence of active exploitation.
The security issues are in the implementation of the encryption mechanisms and not in the protocol itself.
Besides the observed implementation and specification errors, these vulnerabilities highlight a lack of a unified and formal approach to security guarantees in Matrix.
Matrix is currently focusing on developing cleaner and safer 2nd and 3rd generation SDKs written in Rust, and it's worth noting that the discovered flaws don't impact those newer gen SDKs. Thunderbird, that added support for Matrix VOIP and chat in version 102 released in June 2022, has also pushed a security update yesterday that addresses the issues.