In most client applications for decentralized communication platform Matrix identified vulnerabilities ( CVE-2021-40823 , CVE-2021-40824 ), provides information about the keys used for transmitting messages in a chat room with a through encryption (E2EE). An attacker compromising one of the chat users can decrypt messages previously sent to this user from vulnerable client applications.
Successful exploitation requires access to the recipient’s account record messages. Access may be obtained either through leakage account parameters and through hacking Matrix-server through which a user is connected. The greatest danger vulnerabilities represent to the user encrypted chat rooms, which are connected to Matrix-server controlled by hackers. Administrators of these servers may try to impersonate the users on the server to intercept messages sent to a chat with vulnerable client applications.
vulnerabilities caused by logical errors in implementations of the mechanism of re-access to the keys proposed in matrix-js-sdk matrix-android-sdk2 matrix-rust-sdk FamedlySDK Nheko ≤ 0.8.2. Implementation on the basis of libraries matrix-ios-sdk , matrix-nio and libolm not affected.
Accordingly, vulnerability appear in all applications, to borrow the problem code, and do not relate directly to the protocols and Matrix Olm / Megolm. In particular, the problem affects the main Matrix-client Element (ex-Riot) for the Web, desktop and Android, as well as third-party client applications and libraries, including FluffyChat , Nheko , Cinny and SchildiChat . The problem does not appear in the official client for iOS platform, as well as Chatty applications, Hydrogen, mautrix, purple-matrix and Syphon.