Impact
Events encrypted with Megolm sessions for which trust could not be established did not get decorated accordingly (with warning shields).
Therefore a malicious homeserver could inject messages into the room without the user being alerted that the messages were not sent by a verified group member, even if the user has previously verified all group members.
Patches
Patched in Element iOS 1.9.7.
Workarounds
None.
References
For more information
If you have any questions or comments about this advisory, email us at security@matrix.org.
Impact
Events encrypted with Megolm sessions for which trust could not be established did not get decorated accordingly (with warning shields).
Therefore a malicious homeserver could inject messages into the room without the user being alerted that the messages were not sent by a verified group member, even if the user has previously verified all group members.
Patches
Patched in Element iOS 1.9.7.
Workarounds
None.
References
For more information
If you have any questions or comments about this advisory, email us at security@matrix.org.