Decentralized communication platform Matrix issued a warning about end-to-end encryption vulnerabilities in some of its software development kits (SDKs).
Matrix is a decentralized, interoperable open standard for real-time IP-based communication. The flawed SDKs affect several clients based on matrix-js-sdk, matrix-ios-sdk, or matrix-android-sdk2, including Beeper, Element, SchildChat, Cinny, Synod.im and Circuli.
“If you're using Element or an application that shares the same SDKs (Beeper, Cinny, SchildiChat, Circuli, Synod.im) then please upgrade now,” reads Matrix’s security advisory. “Do not perform verification with new devices until you have upgraded.”
Two of the flaws were flagged as high severity due to the viciousness of the attack scenarios they could allow:
Matrix’s advisory also covered lower-severity issues that would allow easily avoidable or purely hypothetical attacks. Combined, the flaws could let threat actors running malicious servers unleash a flurry of attacks against their users, including:
Despite the severity of the scenarios, Matrix claims the vulnerabilities should be no cause for concern, as there’s no sign of them being exploited in attacks in the wild. However, the company still urges users to apply the latest update immediately to avoid security risks.
“These have now been fixed, and we have not seen evidence of them being exploited in the wild,” according to Matrix’s security advisory. “All of the critical vulnerabilities require cooperation from a malicious home server to be exploited. Please upgrade immediately in order to be protected against these vulnerabilities.”
tags
Vlad's love for technology and writing created rich soil for his interest in cybersecurity to sprout into a full-on passion. Before becoming a Security Analyst, he covered tech and security topics.
View all postsSeptember 06, 2024
September 02, 2024
August 13, 2024