Conversation

Charlotte 🦝 therian

New Blog Article: https://lotte.chir.rs/2024/08/17/Missing-Salamanders-Matrix-Media-can-be-decrypted-to-multiple-valid-plaintexts-using-different-keys/

The security issue has not been fixed by the matrix team.

Leave any comments here, as my blog doesn’t have comments yet.

5
27
39

@charlotte Thank you for disclosing and publishing both of those issues! blobfoxheart

0
0
1

@charlotte very nice and interesting write up thanks for disclosing it

0
0
1

@charlotte really cool research!!

As of a couple years, re MAC truncation.

“the changes in truncation of the MAC are inherited from the libolm implementation and would require a coordinated effort on the Matrix Protocol level to ensure compatibility between implementations. Additionally, the Matrix team assesses the probability of an attack resulting from the truncation of a MAC to 8 bytes as low.”

https://matrix.org/media/Least%20Authority%20-%20Matrix%20vodozemac%20Final%20Audit%20Report.pdf

1
0
0

@charlotte I’m sympathetic to the pain of protocol upgrades, but I do not agree with the attack probability assessment, 2^64 security wasn’t acceptable in 2022.

1
0
0

@sanketh Yeah, I do have some ideas in mind in attacking [although not exploiting] it

1
0
1

@sanketh as far as i can tell it is computationally feasible to perform but:

  • clients would reject it [not for cryptographic reasons]
  • i would probably need to hack matrix-crypto-sdk to actually mount the attack
1
0
1

@charlotte interesting, til, could you explain why clients would reject it?

1
0
0

@sanketh the decrypted message would be incorrectly formatted

1
0
1

@charlotte is it beyond what can be solved with format shenanigans?

1
0
0

@sanketh the decrypted message would have to decode as a valid json object of some kind, i think that that is something you cannot trivially brute-force in a reasonable timeframe but i think just the abilities for two clients to disagree about the plaintext is enough to bring my poin tacross

1
0
2

@charlotte ah, true, I forgot that in this setting, you have no control over the decrypted blob, unlike in traditional salamander attacks.

0
0
0

@charlotte Thanks so much for doing this. It seems quite bad to me that you received *no* response until you gave a disclosure date; but I am not sure what normal here is, is that normal?

0
0
0