High severity vulnerability in Matrix communication protocol allows hackers to read encrypted chats on Android phones

Representatives from Matrix.org Foundation, in charge of the Matrix communication protocol, revealed that multiple clients and protocols have been affected by a vulnerability that could be exploited to filter messages regardless of whether they are protected with encryption. As some users may know, Matrix is an open instant messaging protocol that allows users to communicate via text messages, Voice over Internet Protocol (VoIP), and video chat.

According to the report, an error in the implementation of the Matrix key exchange scheme can lead to the creation of a client code that cannot properly verify the identity of the device. Consequently, threat actors could obtain a user’s keys from the Matrix client.

Specifically, a paragraph is followed in the Matrix E2EE (end-to-end encryption) Implementation Guide, which describes the desired key handling routine, in the creation of the original Matrix-js-sdk code. This SDK does not adequately verify the identity of the device requesting the shared key, which opens the way for other Matrix chat clients and libraries.

Exploiting this flaw requires threat actors to access the message recipient’s account, either using stolen credentials through stolen credentials or compromising the victim’s server: “Malicious server administrators could attempt to impersonate their users’ devices to spy on messages sent by vulnerable clients in that room,” notes the report.

At the moment there are no known attempts at active exploitation, so the risk is considered theoretical. However, it is important to consider that affected customers include organizations such as Element, FluffyChat, Nheko, and SchildiChat.

Updates for affected software have been made available in the relevant repositories. The foundation said it intends to review the key sharing documentation and to revise it to make it clearer how to implement key sharing in a safe way.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.