Dan Jones

**Name of the Vulnerable Software and Affected Versions** matrix-android-sdk2 versions prior to 1.5.1 **Description** An attacker cooperating with a malicious homeserver can construct messages that appear to have come from another person without any indication. This vulnerability can be used to perform targeted attacks, sending fake to-device messages and potentially injecting key backup secrets. The issue is due to a protocol confusion vulnerability that accepts to-device messages encrypted with Megolm instead of Olm. **Recommendations** For versions prior to 1.5.1, update to version 1.5.1, which only accepts Olm-encrypted to-device messages and stops signing backups on successful decryption. As a temporary workaround, consider avoiding the use of emoji/QR verification methods for new logins until the update is applied, and instead use verify with passphrase. Restrict access to untrusted devices and discard secrets received from them. Ensure key backups are only usable if they have a valid signature from a trusted device.

**Name of the Vulnerable Software and Affected Versions** Matrix Javascript SDK versions prior to 19.7.0 **Description** An attacker cooperating with a malicious homeserver can construct messages appearing to have come from another person. Such messages will be marked with a grey shield on some platforms, but this may be missing in others. This attack is possible due to the matrix-js-sdk implementing a too permissive key forwarding strategy on the receiving end. The SDK now sets a `trusted` flag on the decrypted message upon decryption, based on whether the key used to decrypt the message was received from a trusted source. Clients need to ensure that messages decrypted with a key with `trusted = false` are decorated appropriately, for example, by showing a warning for such messages. This attack requires coordination between a malicious homeserver and an attacker, and those who trust their homeservers do not need a workaround. **Recommendations** Update to version 19.7.0 or later, which includes a more strict default policy for accepting key forwards. As a temporary workaround, consider decorating messages decrypted with a key with `trusted = false` appropriately, for example, by showing a warning for such messages. Restrict access to the key forwarding mechanism to minimize the risk of exploitation. Ensure that clients handle messages with `trusted = false` correctly, for example, by showing a warning for such messages.

**Name of the Vulnerable Software and Affected Versions** Matrix JavaScript SDK versions prior to 19.7.0 **Description** The issue is caused by a bug in the matrix-js-sdk, where an attacker cooperating with a malicious homeserver could interfere with the verification flow between two users, injecting its own cross-signing user identity in place of one of the users’ identities. This would lead to the other device trusting/verifying the user identity under the control of the homeserver instead of the intended one. The vulnerability is partly made possible due to the design decision of treating cross-signing user identities as Matrix devices on the server side. No other examined implementations were vulnerable. Starting with version 19.7.0, the matrix-js-sdk has been modified to double check that the key signed is the one that was verified instead of just referencing the key by ID. An additional check has been made to report an error when one of the device ID matches a cross-signing key. **Recommendations** For versions prior to 19.7.0, update to version 19.7.0 or later to resolve the issue. As a temporary workaround, consider reviewing your device list or the device list of other users for devices with IDs in the form of a base64 cross-signing key (e.g., `5XaczGNlfz0bl8R1IX5qn+tBoue2tWJqLMh+SDUuvCk`) instead of classical device ID (e.g., `SEHACYDHMG`). If you trust your homeserver, no particular workaround is needed.

**Name of the Vulnerable Software and Affected Versions** Matrix Javascript SDK versions prior to 19.7.0 **Description** The issue allows an attacker cooperating with a malicious homeserver to construct messages that appear to come from another person without indication. A sophisticated attacker could employ this vulnerability to perform a targeted attack, sending fake to-device messages appearing to originate from another user. This can allow injecting the key backup secret during self-verification, making a targeted device use a malicious key backup spoofed by the homeserver. These attacks are possible due to a protocol confusion vulnerability that accepts to-device messages encrypted with Megolm instead of Olm. The attack requires coordination between a malicious homeserver and an attacker. **Recommendations** For versions prior to 19.7.0, update to version 19.7.0 or later, which only accepts Olm-encrypted to-device messages and includes additional checks for security. As a precaution, avoid using emoji/QR verification methods for new logins until patched, and instead, verify with your security passphrase. If you trust your homeserver, no particular workaround is needed.

**Name of the Vulnerable Software and Affected Versions** matrix-ios-sdk versions prior to 0.23.19 **Description** The issue allows an attacker cooperating with a malicious homeserver to construct messages that appear to have come from another person without indication. A sophisticated attacker could employ this vulnerability to perform a targeted attack, sending fake to-device messages appearing to originate from another user. This can allow the injection of the key backup secret during self-verification or making a targeted device use a malicious key backup spoofed by the homeserver. The attacks are possible due to a protocol confusion vulnerability that accepts to-device messages encrypted with Megolm instead of Olm. **Recommendations** For versions prior to 0.23.19, update to version 0.23.19 or later to only accept Olm-encrypted to-device messages. As a temporary workaround, consider not verifying new logins using emoji/QR verification methods until patched. To minimize the risk of exploitation, ensure that you trust your homeserver, as the attack requires coordination between a malicious homeserver and an attacker.

**Name of the Vulnerable Software and Affected Versions** Matrix iOS SDK versions prior to 0.23.19 **Description** The issue allows an attacker, in cooperation with a malicious homeserver, to construct messages that appear to come from another person. These messages may be marked with a grey shield on some platforms, but this indicator may be missing on others. This is due to a too permissive key forwarding strategy implemented in the Matrix iOS SDK. The SDK has been updated to only accept forwarded keys in response to previously issued requests and only from own, verified devices. A `trusted` flag is set on decrypted messages based on whether the key used for decryption was from a trusted source. Clients should ensure that messages decrypted with a key marked as `trusted = false` are appropriately decorated, such as displaying a warning. This attack requires coordination between a malicious home server and an attacker. **Recommendations** For versions prior to 0.23.19, update to version 0.23.19 or later to resolve the issue. As a temporary workaround, consider implementing a strict key forwarding policy and ensuring that messages decrypted with untrusted keys are decorated with warnings, such as displaying a grey shield or a similar indicator. Clients should ensure that messages with `trusted = false` are handled appropriately, for example, by showing a warning for such messages.