Matrix iOS SDK allows developers to build iOS apps compatible with Matrix. Prior to version 0.23.19, an attacker cooperating with a malicious homeserver can construct messages that legitimately appear to have come from another person, without any indication such as a grey shield. Additionally, a sophisticated attacker cooperating with a malicious homeserver could employ this vulnerability to perform a targeted attack in order to send fake to-device messages appearing to originate from another user. This can allow, for example, to inject the key backup secret during a self-verification, to make a targeted device start using a malicious key backup spoofed by the homeserver. These attacks are possible due to a protocol confusion vulnerability that accepts to-device messages encrypted with Megolm instead of Olm. matrix-ios-sdk version 0.23.19 has been modified to only accept Olm-encrypted to-device messages. Out of caution, several other checks have been audited or added. This attack requires coordination between a malicious home server and an attacker, so those who trust their home servers do not need a workaround. To avoid malicious backup attacks, one should not verify one's new logins using emoji/QR verifications methods until patched.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:NMatrix Software Development Kit
APPMatrix< 0.23.19
Related vulnerabilities
matrix-android-sdk2 is the Matrix SDK for Android. Prior to version 1.5.1, an attacker cooperating with a mali...
matrix-android-sdk2 is the Matrix SDK for Android. Prior to version 1.5.1, an attacker cooperating with a mali...
Matrix iOS SDK allows developers to build iOS apps compatible with Matrix. Prior to version 0.23.19, an attack...
Sydent is an identity server for the Matrix communications protocol. Prior to version 2.5.6, if configured to ...
The olm_session_describe function in Matrix libolm before 3.2.7 is vulnerable to a buffer overflow. The Olm se...