web analytics

Matrix protocol bugs could let hackers seize control of sensitive chat rooms – Source: www.csoonline.com

matrix-protocol-bugs-could-let-hackers-seize-control-of-sensitive-chat-rooms-–-source:-wwwcsoonline.com
Rate this post

Source: www.csoonline.com – Author:

The Matrix Foundation has released patches and mitigation details for two vulnerabilities that use its open standard communications protocol to transmit sensitive information.

The nonprofit Matrix Foundation, custodian of the eponymous open standard communications protocol, has released details and patching information for two vulnerabilities that could allow hackers to take over classified chat rooms.

Matrix announced the vulnerabilities a month ago, but specific details on mitigation have been under wraps to allow protocol users time to test and implement them.

The protocol is used by organizations around the globe, often to transmit sensitive information. But experts warn that the primary security issue isn’t just about chat; it’s also how ripple effects could potentially disrupt emergency coordination or leak sensitive information.

“Matrix servers are also often connected to other servers in different organizations,” explained Erik Avakian, technical counselor at Info-Tech Research Group and former state chief information security officer for the Commonwealth of Pennsylvania. “If one is hacked, it could have downstream effects and be used to attack others.”

‘Hydra’ an ongoing security effort

Matrix is an open standard that users can run on their own servers, not cloud based like WhatsApp or Signal. It is used by the French government, German and Polish armed forces, and other public and private organizations worldwide.

“Data sovereignty is one of the big selling points for Matrix,” said Johannes Ullrich, dean of research for SANS Technology Institute, noting that it is “somewhat popular” with government organizations outside the US looking to avoid US-hosted or controlled cloud providers.

Matrix released a pre-disclosure of the two high-severity vulnerabilities in mid-July (CVE-2025-49090 and CVE-2025-54315), and shared details of fixes under embargo with organizations using the protocol. Initially, the goal was to have changes implemented in six days, but the foundation pushed that out by a month after users raised concerns about such a quick turnaround.

A coordinated release occurred on Monday (August 11), and server admins were given three days to upgrade before Matrix disclosed vulnerability details and introduced Room Version 12 today.

“This entire process has been highly unusual for the ecosystem, and it’s unfortunate that we were unable to make these changes out in the open,” Matrix staff engineer Kegan Dougal wrote in a blog post.

The project, codenamed “Hydra,” is a coordinated and ongoing effort by Matrix’s security teams and consultants to improve the protocol’s security. During the embargo period, the foundation released redacted versions of Matrix spec changes (MSCs) “as soon as we were comfortable from a security perspective.”

Avakian explained that the fixes and updated guidance include changing how chat rooms are managed and how their IDs are created.

“If your organization is connected only to your own system (no federation), you’re basically fine,” he said. “If you connect to other servers, especially those you can’t fully trust, you should update rooms to the new format, as well as make sure your messaging apps and bots are updated too, so they don’t break.”

Vulnerabilities could allow hackers to disrupt sensitive conversations

The vulnerabilities are rated as “high” rather than “critical,” according to the foundation, as they “do not result in data compromise or exposure.” Matrix notes that it is not aware of the issues being exploited.

If not addressed immediately, Avakian explained that the two serious flaws could allow hackers to disrupt conversations and trusted communications. One could let a bad actor take over “creator” powers for a chat room, allowing them to make changes, redirect people to a different room, or shut the room down altogether. The other could let someone predict a room’s address before the creator initiates it, which could cause confusion or allow threat actors to set up a fake version of a room.

This could allow them to “potentially spread misinformation, trick people into sharing information, or simply shut down communication channels critical to business or during a crisis or sensitive project,” he said.

New MSCs bundled into version 12

Matrix said it made the “unusual decision” to embargo MSCs due to risk of exploitation. They include:

  • MSC4289: Makes it explicit that room creators have ‘infinite’ power. “Access control requires a hierarchy, and the creator is at the top of this hierarchy,” Matrix explains. This also allows admins to promote other users to admin or demote themselves should they lose control of their rooms. “If creators go rogue or disappear, the solution is to establish a new creator by either upgrading the room or creating a new one.”
  • MSC4291: Changes the format of room IDs so that they are the same as the event ID. Matrix explains that this is a precautionary measure to prevent a theoretical class of attacks where malicious admins introduce false events in a room to hijack it.
  • MSC4297: Protects against ‘state resets’ that revert a room to an earlier state. Such resets can re-add users to a room they have left; or the server may no longer recognize previously present users.

These MSCs are bundled into Room Version 12, which is expected to be formally released later this month.

Upgrade now, be picky about connections long-term

Matrix users and server administrators are advised to upgrade clients to the latest version and ensure it supports the upcoming Room Version 12.

Avakian recommends updating all clients and bots, including any applications, integrations, or automated tools connected to a Matrix server. Connections to external sites should be limited where possible, and administrators and key users should be alerted about the changes immediately.

“As with any critical change, employing a test-first approach will avoid the potential for breaking things for end users and disrupting business,” he said.

Long-term, he urged, be “picky” about who you connect to, only allow federation with trusted servers, and ensure that the true “creator” is the only one able to perform certain changes or actions. Monitor regularly through event logging, and review important room changes for suspicious activity. And always apply patches and updates, but only after appropriate testing.

“Also, it’s important to keep zero trust principles in mind,” said Avakian. “Treat other servers with caution, even if they’re part of your network, and secure accordingly.”

SUBSCRIBE TO OUR NEWSLETTER

From our editors straight to your inbox

Get started by entering your email address below.

Original Post url: https://www.csoonline.com/article/4040136/matrix-protocol-bugs-could-let-hackers-seize-control-of-sensitive-chat-rooms.html

Category & Tags: Communications Security, Security, Vulnerabilities – Communications Security, Security, Vulnerabilities

Views: 3

LinkedIn
Twitter
Facebook
WhatsApp
Email

advisor pick´S post

CISO2CISO Notepad Series
How Can We Structure Cybersecurity Teams To Better Integrate Security In Agile At Scale?
How Can We Structure Cybersecurity...
OCCUPYTHEWEB
Linux Basics for Hackers by Occupytheweb
Linux Basics for Hackers by...
NIST
Digital Forensics and Incident Response (DFIR) Framework for Operational Technology (OT) by NIST – Eran Salfati and Michael Pease
Digital Forensics and Incident Response...
Think Big Blog
Top 10 TED Talks to Learn about Cyber Security
Top 10 TED Talks to...
NCSC
NCSC Cyber Security for Small Business “SMEs” Guide.
NCSC Cyber Security for Small...
Practical DevSecOps
API Security Fundamentals – Your Handy Guide to Building an Unhackable System by practical-devsecops.com
API Security Fundamentals – Your...
Marcos Jaimovich
Nuevo Firewall para IA , un Cacharro nuevo para nuestro SOC y los equipos de Ciberseguridad !
Nuevo Firewall para IA ,...
Vendict
The 2024 CISO Burnout Report by Vendict
The 2024 CISO Burnout Report...
Mohammad Alkhudari
Cybersecurity Strong Strategy step by step Guide collected by Mohammad Alkhudari 2024
Cybersecurity Strong Strategy step by...
Marcos Jaimovich
The Silent Spectre Haunting Your Network: QPhishing, the CISO’s Unspoken Nightmare.
The Silent Spectre Haunting Your...
Marcos Jaimovich
Goodbye to Traditional: Why Conventional Cybersecurity Tools are No Longer Sufficient for the Future of Digital Threats ?
Goodbye to Traditional: Why Conventional...
Marcos Jaimovich
Why do we compare a SOC (Security Operations Center) with the cockpit of a commercial airplane? by Marcos Jaimovich
Why do we compare a...

LASTEST PUBLISHED POSTS

Cyberint
Retail Threat Landscape Report Q1-Q3 – November 2024 Summary by Cyberint a Check Point Company
Retail Threat Landscape Report Q1-Q3...
NCSC
Protecting Critical Supply Chains – A Guide to Securing your Supply Chain Ecosystem
Protecting Critical Supply Chains –...
Culture AI
Time to Adapt – The State of Human Risk Management in 2024 by Culture AI.
Time to Adapt – The...
National Cyber Security Centre
Engaging with Boards to improve the management of cyber security risk.
Engaging with Boards to improve...
Microsoft Security
2024 State of Multicloud Security Report by Microsoft Security
2024 State of Multicloud Security...
bugcrowd
Inside the Mind of a CISO 2024 The Evolving Roles of Security Leaders 2024 by bugcrowd
Inside the Mind of a...
Mohammad Alkhudari
Cybersecurity Strong Strategy step by step Guide collected by Mohammad Alkhudari 2024
Cybersecurity Strong Strategy step by...
Lacework
CISO’s Playbookto Cloud Security by Lacework
CISO’s Playbookto Cloud Security by...
MITRE - Carson Zimmerman
Ten Strategies of a World-Class Cybersecurity Operations Center by MITRE
Ten Strategies of a World-Class...
SILVERFRONT - AIG
Identity Has Become the Prime Target of Threat Actors by Silverfort AIG.
Identity Has Become the Prime...
CYZEA.IO
Enterprise Information Security
Enterprise Information Security
IGNITE Technologies
ENCRYPTED REVERSE
ENCRYPTED REVERSE

More Latest Published Posts

WORLD BANK GROUP
Global Cybersecurity Capacity Program
Global Cybersecurity Capacity Program
Gary Hinson
Getting started withsecurity metrics
Getting started withsecurity metrics
EDPS
Generative AI and the EUDPR.
Generative AI and the EUDPR.
Bright
2024 Guide to Application Security Testing Tools
2024 Guide to Application Security Testing Tools
HADESS
Hacker Culture
Hacker Culture
Quuensland Govermment
RISK ASSESSMENT PROCESS HANDBOOK
RISK ASSESSMENT PROCESS HANDBOOK
Ministry of MOS Security
HIPAA SIMPLIFIED
HIPAA SIMPLIFIED
Hacker Combat
How Are Passwords Cracked?
How Are Passwords Cracked?
CIS - Center for Internet Security
How to Plan a Cybersecurity Roadmap in Four Steps
How to Plan a Cybersecurity Roadmap in Four Steps
ACSC Australia
Information Security Manual
Information Security Manual
Kaspersky
Incident Response Playbook: Dark Web Breaches
Incident Response Playbook: Dark Web Breaches
ninjaOne
Endpoint Hardening Checklist
Endpoint Hardening Checklist
HADESS
Important Active Directory Attribute
Important Active Directory Attribute
ISA GLOBAL CYBERSECURITY ALLIANCE
IIoT System Implementation and Certification Based on ISA/IEC 62443 Standards
IIoT System Implementation and Certification Based on ISA/IEC 62443 Standards
Rajneesh Gupta
IAM Security CHECKLIST
IAM Security CHECKLIST
sqrrl
Hunt Evil
Hunt Evil
Searchinform
How to protect personal data and comply with regulations
How to protect personal data and comply with regulations
Giuseppe Manco
Threat Intelligence Platforms
Threat Intelligence Platforms
CSA Cloud Security Alliance
Hardware Security Module(HSM) as a Service
Hardware Security Module(HSM) as a Service
IGNITE Technologies
CREDENTIAL DUMPING FAKE SERVICES
CREDENTIAL DUMPING FAKE SERVICES
IGNITE Technologies
A Detailed Guide on Covenant
A Detailed Guide on Covenant
NIST
Computer Security Incident Handling Guide
Computer Security Incident Handling Guide
IGNITE Technologies
DIGITAL FORENSIC FTK IMAGER
DIGITAL FORENSIC FTK IMAGER
Accedere
Cloud Security Assessment
Cloud Security Assessment
YL VENTURES
CISO Reporting Landscape 2024
CISO Reporting Landscape 2024
CISO Edition
Reporting Cyber Risk to Boards
Reporting Cyber Risk to Boards
CIOB
CIOB Artificial Intelligence (AI) Playbook 2024
CIOB Artificial Intelligence (AI) Playbook 2024
INCIBE & SPAIN GOVERNMENT
Nuevas normativas de 2024 de ciberseguridad para vehículos
Nuevas normativas de 2024 de ciberseguridad para vehículos