Matrix decentralized communication platform has published a security warning about two critical-severity vulnerabilities that affect the end-to-end encryption in the software development kit (SDK).
A threat actor exploiting these flaws could break the confidentiality of Matrix communications and run man-in-the-middle attacks that expose message contents in a readable form.
Clients affected by the bugs are those using the matrix-js-sdk, matrix-ios-sdk, and matrix-android-sdk2, like Element, Beeper, Cinny, SchildiChat, Circuli, and Synod.im.
Other clients using a different encryption implementation (e.g. Hydrogen, ElementX, Nheko, FluffyChat, Syphon, Timmy, Gomuks, Pantalaimon) are not impacted.
Matrix underlines that the issues have been fixed and all that users need to do to keep their communications safe is apply the available updates to their IM clients.
Matrix’s announcement claims that exploiting the flaws is not an easy task and that they have seen no evidence of active exploitation.