Friday, April 12, 2019

Matrix Project Hacked And Undergoes Extensive Infrastructure Rebuild - If you're a matrix.org user change your password now.

Matrix Project is an open source end-to-end encrypted messaging protocol that allows anyone to self-host a messaging service on their own servers. The service was a favorite among opensource developers, including many instant messengers, VoIP, WebRTC, bots and IoT communication. We ourselves were looking to it for IoT messaging.

The sad news is that hacker got access to key servers of the project. According to Matrix project unknown attackers exploited a sandbox bypass vulnerability in its production infrastructure on 4th of April via an outdated, vulnerable version of Jenkins automation server.

After taking down and fixing the other server on production, the Matrix Project found out that their DNS was hijacked and pointing to an defacement server hosted on Github.
Since then the team realized that the stolen encrypted password hashes were exfiltrated from the production database, Matrix.org forced to log out all users and strongly advised them to change their passwords immediately.

“Forensics are ongoing; so far we've found no evidence of large quantities of data being downloaded. The attacker did have access to the production database, so unencrypted content (including private messages, password hashes and access tokens) may be compromised,”"This was a difficult choice to make. We weighed the risk of some users losing access to encrypted messages against that of all users' accounts being vulnerable to hijack via the compromised access tokens, We hope you can see why we made the decision to prioritize account integrity over access to encrypted messages, but we're sorry for the inconvenience this may have caused." said the project management, “Forensics are ongoing; so far we've found no evidence of large quantities of data being downloaded. The attacker did have access to the production database, so unencrypted content (including private messages, password hashes and access tokens) may be compromised,”


The Press Release by the Matrix Project (You may also find the latest updates via the link);

No comments: