Matrix patches five vulnerabilities in its end-to-end encryption – SC Media

Matrix recently patched five vulnerabilities in its end-to-end encryption two of them critical that have the ability to break the confidentiality and authentication of messages.

If not patched, these vulnerabilities would let a malicious server read user messages and impersonate devices.

Matrix manages some 100,000 servers worldwide. Its technology delivers a federated communication protocol that lets clients with accounts on Matrix servers exchange messages. Matrix provides simple HTTP APIs and SDKs that help developers create chatrooms, direct chats and chat bots, complete with end-to-end encryption, file transfer, synchronized conversation history, formatted messages, and read receipts.

The vulnerabilities were discovered by security researchers at Royal Holloway University London, University of Sheffield, and Brave Software and then published in an 18-page academic paper. According to a blog posted by Matrix, the two critical vulnerabilities include the following:

Eric Cole,advisory board memberat Theon Technology, said this teaches us two important lessons. First, encryption software must have more rigorous testing than other software. Second, unpatched systems are still one of the top methods attackers use to compromise servers even with encryption software, so its important to patch, patch, patch.

While it appears that this has been caught before it has been used in the wild, it is important to remember that we just do not know, Cole said. Attackers are clever, attackers can hide their tracks and attackers can use delay methods to make it harder to detect. It appears this was caught early enough, but proper investigations of potential infected users should still be performed.

Read more:
Matrix patches five vulnerabilities in its end-to-end encryption - SC Media