- The developers of the open-source Matrix messenger protocol have unveiled an update to fix important end-to-end encryption vulnerabilities that bring down the confidentiality and authentication guarantees that have been key to the meteoric rise of the platform.
- Matrix is a sprawling ecosystem of open-source and proprietary chat and collaboration clients and servers that are completely interoperable.
- The best-known app in this family is Element, a chat client for Windows, iOS, macOS, and Android, but there’s a dizzying array of other members.
Matrix aims for real-time communication like the SMTP standard for email, which offers a federated protocol allowing user clients connected to various servers to exchange messages with each other. However, unlike SMTP, Matrix provides robust end-to-end encryption, or E2EE, designed to ensure that messages cannot be spoofed and that only the senders and receivers can read the contents.
Matthew Hodgson, the co-founder and project lead for Matrix and the CEO & CTO at Element, maker of the flagship Element application, said in an email that conservative estimates are that there are about 69 million Matrix accounts spread throughout some 100,000 servers.
Currently, Matrix sees about 2.5 million monthly active users using its Matrix.org server, though he said this is also likely underestimated. Among the hundreds of organizations announcing plans to build internal messaging systems based on Matrix are Mozilla, KDE, and the governments of France and Germany.
A team published research that reports a various vulnerabilities that undermine authentication and confidentiality guarantees of Matrix. All the attacks described by the researchers require the aid of a malicious or compromised home server that targets the users who connect to it. There are ways for experienced users, in some cases, to detect that an attack is underway.
The researchers reported the vulnerabilities to Matrix privately earlier this year. They agreed to a coordinated disclosure timed to the release by Matrix of updates that address the most serious flaws.
The researchers wrote in an email that the attacks allow a malicious server operator or someone who gains control of a Matrix server to read users’ messages and impersonate them to each other. Matrix aims to protect against such behavior by providing end-to-end encryption, but the attacks highlight flaws in its protocol design and flagship client implementation Element.
For more updates on cyber security, click here.