{"id":4397,"date":"2025-08-15T00:51:59","date_gmt":"2025-08-15T00:51:59","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=4397"},"modified":"2025-08-15T00:51:59","modified_gmt":"2025-08-15T00:51:59","slug":"matrix-protocol-bugs-could-let-hackers-seize-control-of-sensitive-chat-rooms","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=4397","title":{"rendered":"Matrix protocol bugs could let hackers seize control of sensitive chat rooms"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>The nonprofit <a href=\"https:\/\/matrix.org\/foundation\/about\/\" target=\"_blank\" rel=\"noopener\">Matrix Foundation<\/a>, custodian of the eponymous open standard communications protocol, has released details and patching information for two vulnerabilities that could allow hackers to take over classified chat rooms.<\/p>\n<p>Matrix announced the vulnerabilities a month ago, but specific details on mitigation have been under wraps to allow protocol users time to test and implement them.<\/p>\n<p>The protocol is used by organizations around the globe, often to transmit sensitive information. But experts warn that the primary security issue isn\u2019t just about chat; it\u2019s also how ripple effects could potentially disrupt emergency coordination or leak sensitive information.<\/p>\n<p>\u201cMatrix servers are also often connected to other servers in different organizations,\u201d explained <a href=\"https:\/\/www.infotech.com\/profiles\/erik-avakian\" target=\"_blank\" rel=\"noopener\">Erik Avakian<\/a>, technical counselor at <a href=\"https:\/\/www.infotech.com\/\" target=\"_blank\" rel=\"noopener\">Info-Tech Research Group<\/a> and former state chief information security officer for the Commonwealth of Pennsylvania. \u201cIf one is hacked, it could have downstream effects and be used to attack others.\u201d<\/p>\n<h2 class=\"wp-block-heading\">\u2018Hydra\u2019 an ongoing security effort<\/h2>\n<p>Matrix is an open standard that users can run on their own servers, not cloud based like WhatsApp or Signal. It is used by the French government, German and Polish armed forces, and other public and private organizations worldwide.<\/p>\n<p>\u201cData sovereignty is one of the big selling points for Matrix,\u201d said <a href=\"https:\/\/www.sans.org\/profiles\/dr-johannes-ullrich\" target=\"_blank\" rel=\"noopener\">Johannes Ullrich<\/a>, dean of research for <a href=\"https:\/\/www.sans.edu\/\" target=\"_blank\" rel=\"noopener\">SANS Technology Institute<\/a>, noting that it is \u201csomewhat popular\u201d with government organizations outside the US looking to avoid US-hosted or controlled cloud providers.<\/p>\n<p>Matrix released a <a href=\"https:\/\/matrix.org\/blog\/2025\/07\/security-predisclosure\/\" target=\"_blank\" rel=\"noopener\">pre-disclosure<\/a> of the two high-severity vulnerabilities in mid-July (CVE-2025-49090 and CVE-2025-54315), and shared details of fixes under embargo with organizations using the protocol. Initially, the goal was to have changes implemented in six days, but the foundation pushed that out by a month after users raised concerns about such a quick turnaround.<\/p>\n<p>A coordinated release occurred on Monday (August 11), and server admins were given three days to upgrade before Matrix disclosed vulnerability details and introduced Room Version 12 today.<\/p>\n<p>\u201cThis entire process has been highly unusual for the ecosystem, and it\u2019s unfortunate that we were unable to make these changes out in the open,\u201d Matrix staff engineer Kegan Dougal <a href=\"https:\/\/matrix.org\/blog\/2025\/08\/project-hydra-improving-state-res\/#continue-reading\" target=\"_blank\" rel=\"noopener\">wrote in a blog post<\/a>.<\/p>\n<p>The project, codenamed \u201c<a href=\"https:\/\/matrix.org\/blog\/2025\/08\/project-hydra-improving-state-res\/#continue-reading\" target=\"_blank\" rel=\"noopener\">Hydra<\/a>,\u201d is a coordinated and ongoing effort by Matrix\u2019s security teams and consultants to improve the protocol\u2019s security. During the embargo period, the foundation released redacted versions of Matrix spec changes (MSCs) \u201cas soon as we were comfortable from a security perspective.\u201d<\/p>\n<p>Avakian explained that the fixes and updated guidance include changing how chat rooms are managed and how their IDs are created.<\/p>\n<p>\u201cIf your organization is connected only to your own system (no federation), you\u2019re basically fine,\u201d he said. \u201cIf you connect to other servers, especially those you can\u2019t <a href=\"https:\/\/www.csoonline.com\/article\/564201\/what-is-zero-trust-a-model-for-more-effective-security.html\" target=\"_blank\" rel=\"noopener\">fully trust<\/a>, you should update rooms to the new format, as well as make sure your messaging apps and bots are updated too, so they don\u2019t break.\u201d<\/p>\n<h2 class=\"wp-block-heading\">Vulnerabilities could allow hackers to disrupt sensitive conversations<\/h2>\n<p>The vulnerabilities are rated as \u201chigh\u201d rather than \u201ccritical,\u201d according to the foundation, as they \u201cdo not result in data compromise or exposure.\u201d Matrix notes that it is not aware of the issues being exploited.<\/p>\n<p>If <a href=\"https:\/\/www.csoonline.com\/article\/3970955\/4-big-mistakes-youre-probably-still-making-in-vulnerability-managementand-how-to-fix-them.html\" target=\"_blank\" rel=\"noopener\">not addressed immediately<\/a>, Avakian explained that the two serious flaws could allow hackers to disrupt conversations and trusted communications. One could let a bad actor take over \u201ccreator\u201d powers for a chat room, allowing them to make changes, redirect people to a different room, or shut the room down altogether. The other could let someone predict a room\u2019s address before the creator initiates it, which could cause confusion or allow threat actors to set up a fake version of a room.<\/p>\n<p>This could allow them to \u201cpotentially spread misinformation, trick people into sharing information, or simply shut down communication channels critical to business or during a crisis or sensitive project,\u201d he said.<\/p>\n<p>On Friday, the Matrix Foundation reached out to CSO Online with further information about the vulnerabilities.<\/p>\n<p>Matrix security researcher and programmer <a href=\"https:\/\/www.linkedin.com\/in\/denis-kasak-91461055\/\" target=\"_blank\" rel=\"noopener\">Denis Kasak<\/a> clarified that these vulnerabilities can only be exploited by servers (or server operators) that have previously participated in the room in question. An arbitrary network attacker cannot use them to gain access to a room, even if the server is allowed to federate with other servers.<\/p>\n<p>He also noted that while CVE-2025-49090 allows a room member to potentially reset the room\u2019s state to an earlier value, it does not grant administrative or creator privileges.<\/p>\n<p>In addition, he said, CVE-2025-54315 is a soundness issue \u201cwith no known exploitation path,\u201d<br \/>being fixed purely as a precaution. \u201cIt does not involve predicting a room ID, and even if a future room ID could be guessed, cryptographic signatures prevent other servers from creating a valid fake room,\u201d said Kasak.<\/p>\n<h2 class=\"wp-block-heading\">New MSCs bundled into version 12<\/h2>\n<p>Matrix said it made the \u201cunusual decision\u201d to embargo MSCs due to risk of exploitation. They include:<\/p>\n<p><strong>MSC4289<\/strong>: Makes it explicit that room creators have \u2018infinite\u2019 power. \u201cAccess control requires a hierarchy, and the creator is at the top of this hierarchy,\u201d Matrix explains. This also allows admins to promote other users to admin or demote themselves should they lose control of their rooms. \u201cIf creators go rogue or disappear, the solution is to establish a new creator by either upgrading the room or creating a new one.\u201d<\/p>\n<p><strong>MSC4291<\/strong>: Changes the format of room IDs so that they are the same as the event ID. Matrix explains that this is a precautionary measure to prevent a theoretical class of attacks where malicious admins introduce false events in a room to hijack it.<\/p>\n<p><strong>MSC4297<\/strong>: Protects against \u2018state resets\u2019 that revert a room to an earlier state. Such resets can re-add users to a room they have left; or the server may no longer recognize previously present users.<\/p>\n<p>These MSCs are bundled into Room Version 12, which is expected to be formally released later this month.<\/p>\n<h2 class=\"wp-block-heading\">Upgrade now, be picky about connections long-term<\/h2>\n<p>Matrix users and server administrators are advised to upgrade clients to the latest version and ensure it supports the upcoming Room Version 12.<\/p>\n<p>Avakian recommends updating all clients and bots, including any applications, integrations, or automated tools connected to a Matrix server. Connections to external sites should be limited where possible, and administrators and key users should be alerted about the changes immediately.<\/p>\n<p>\u201cAs with any critical change, employing a test-first approach will avoid the potential for breaking things for end users and disrupting business,\u201d he said.<\/p>\n<p>Long-term, he urged, be \u201cpicky\u201d about who you connect to, only allow federation with trusted servers, and ensure that the true \u201ccreator\u201d is the only one able to perform certain changes or actions. Monitor regularly through event logging, and review important room changes for suspicious activity. And always apply patches and updates, but only after appropriate testing.<\/p>\n<p>\u201cAlso, it\u2019s important to keep <a href=\"https:\/\/www.networkworld.com\/article\/4039042\/def-con-research-takes-aim-at-ztna-calls-it-a-bust.html\" target=\"_blank\" rel=\"noopener\">zero trust principles<\/a> in mind,\u201d said Avakian. \u201cTreat other servers with caution, even if they\u2019re part of your network, and secure accordingly.\u201d<\/p>\n<p><em>Updated with additional information from Matrix about the flaws.<\/em><\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>The nonprofit Matrix Foundation, custodian of the eponymous open standard communications protocol, has released details and patching information for two vulnerabilities that could allow hackers to take over classified chat rooms. Matrix announced the vulnerabilities a month ago, but specific details on mitigation have been under wraps to allow protocol users time to test and [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":4390,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-4397","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/4397"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=4397"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/4397\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/4390"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=4397"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=4397"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=4397"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}