Skip to content

Sending blank `m.room.encryption` on iOS will disable encryption

High
dkasak published GHSA-fxvm-7vhj-wj98 Feb 16, 2024

Package

element-iOS (iOS)

Affected versions

<= 1.6.9

Patched versions

0.6.10
matrix-ios-kit (iOS)
<= 0.6.11
None. It is deprecated
matrix-ios-sdk (iOS)
<= 0.20.13
0.20.14

Description

Impact

Matrix clients based on the Matrix iOS SDK before 0.20.14 can be forced to send unencrypted messages in an end-to-end encrypted room, without warning the user that this is happening.

This is possible by sending a blank m.room.encryption state event. Sending such an event requires room admin privileges so the attack can only be performed by a room or server admin.

Patches

The patch is available in MatrixSDK 0.20.14 and Element-iOS 0.6.10.

Workarounds

Since non-iOS clients are not affected, the attack can be noticed from other devices signed into the same account.

For more information

If you have any questions or comments about this advisory, e-mail us at security@matrix.org.

Severity

High

CVE ID

No known CVE

Weaknesses

No CWEs