Internal audit uncovers critical encryption vulnerability in multiple Matrix clients
A critical implementation bug1 was discovered in Matrix2 clients and SDK’s that use E2EE (end-to-end encryption), after an internal audit that was conducted by Denis Kasak, an internal researcher at Element3.
Known vulerable software that has been affected:
- Element (Web/Desktop/Android)
- FluffyChat
- Nheko
- Cinny
- SchildiChat
The recommended action is to immediately upgrade your software:
Patched versions of affected clients are available now; please upgrade as soon as possible — we apologise sincerely for the inconvenience.
The bug was discovered 3 weeks ago and the public was notified today:
- 2 weeks ago (23 August 2021): discovery of vulerability, the audit was triggered
- 7 September 2021: audit was completed
- 13 September 2021 (today): public disclosure
For an extended timeline of events and more in-depth analysis you can visit Element’s blog page4.
-
https://cve.circl.lu/cve/CVE-2021-40823, https://cve.circl.lu/cve/CVE-2021-40824 ↩
-
https://matrix.org/ ↩
-
https://element.io/ ↩
-
https://matrix.org/blog/2021/09/13/vulnerability-disclosure-key-sharing ↩