The hacker that hacked and defaced Matrix.org decided to disclose the security issues discovered during the attack and offers advice.

This week, the hacker behind the hack of Matrix.org decided to disclose the vulnerabilities discovered during the attack.

Matrix is an open network for secure, decentralized real-time communication that is also used for instant messaging, IoT communications, and VoIP or WebRTC signaling.

On Thursday, Matrix.org warned users of the security breach, a hacker gained unauthorized access to the production databases, including unencrypted message data, access tokens, and also password hashes.

According to Matrix.org, the attacker has exploited a known vulnerability in the Jenkins open source automation server to hijack credentials and gain access to the systems of the organization. Homeservers, source code and packages, identity servers, and Modular.im servers were not impacted.

“An attacker gained access to the servers hosting Matrix.org. The intruder had access to the production databases, potentially giving them access to unencrypted message data, password hashes and access tokens. As a precaution, if you’re a matrix.org user you should change your password now.” reads the data breach notification published by Matrix.org.

“The matrix.org homeserver has been rebuilt and is running securely; bridges and other ancillary services (e.g. this blog) will follow as soon as possible. Modular.im homeservers have not been affected by this outage.”

The organization urges Matrix and NickServ users to change their passwords, as a precautionary measure, all users have been logged out from matrix.org.

Unfortunately, users that have no backups of their encryption keys will be not able to read their previous conversations. The company launched an investigation and attempted to downplay the incident saying that there is no evidence that large quantities of data have been exfiltrated.

“Forensics are ongoing; so far we’ve found no evidence of large quantities of data being downloaded.” continues Matrix.org. “The attacker did have access to the production database, so unencrypted content (including private messages, password hashes and access tokens) may be compromised,”

According to Matrix, the intrusion occurred on March 13 and was detected on April 10, after the organization was informed of the Jenkins vulnerability affecting its systems. The company quickly started cleaning up the affected systems but did not replace a Cloudflare API key compromised in the attack. On Friday, the attacker used the Cloudflare API key to change the DNS records for matrix.org and redirect users to a GitHub page displaying a portion of the compromised data as a proof of the hack.

“At around 5am UTC on Apr 12, the attacker used a cloudflare API key to repoint DNS for matrix.org to a defacement website (https://github.com/matrixnotorg/matrixnotorg.github.io). The API key was known compromised in the original attack, and during the rebuild the key was theoretically replaced. However, unfortunately only personal keys were rotated, enabling the defacement. We are currently doublechecking that all compromised secrets have been rotated.” reads an update published by the organization.

“The rebuilt infrastructure itself is secure, however, and the DNS issue has been solved without further abuse. If you have already changed your password, you do not need to do so again.”

The GitHub project set up by the hacker provides technical details about the security vulnerabilities discovered during the hack, the attacker also offered some suggestions to improve the security of the organization.

GitHub has currently removed the information leaked by the hacker.

Pierluigi Paganini

( SecurityAffairs – Matrix.org, hack)

Share this...

Linkedin Reddit Pinterest

Share On