"Matrix: Install Security Update to Fix End-To-End Encryption Flaws"

The Matrix decentralized communication platform has issued a security alert regarding two critical-severity vulnerabilities in the Software Development Kit's (SDK) end-to-end encryption. The exploitation of these flaws could allow a threat actor to compromise Matrix communications and launch man-in-the-middle attacks that expose message contents in readable form. Clients impacted by the bugs include those using matrix-js-sdk, matrix-ios-sdk, and matrix-android-sdk2, such as Element, Beeper, Cinny, SchildiChat, Circuli, and Synod.im. Other clients, such as Hydrogen, ElementX, Nheko, FluffyChat, Syphon, Timmy, Gomuks, and Pantalaimon, that use a different encryption implementation are not affected by the bugs. Matrix emphasizes that the issues have been resolved and that all users need to do to ensure the security of their communications is to apply the available updates to their IM clients. According to Matrix's announcement, exploiting the flaws is difficult, and there is no evidence of active exploitation. Researchers from Brave Software, Royal Holloway University in London, and the University of Sheffield discovered them and responsibly disclosed them to Matrix, stating that the bugs stem from the implementation of the encryption mechanisms rather than from the protocol itself. This article continues to discuss the vulnerabilities discovered in Matrix's end-to-end encryption.

Bleeping Computer reports "Matrix: Install Security Update to Fix End-To-End Encryption Flaws"