Can you explain this vulnerability to me?

This vulnerability affects Cinny, a Matrix client, prior to version 4.10.3. A remote authenticated attacker who shares a room with the victim and has permissions to create room emotes can exploit this issue. When the victim opens the emoji or sticker picker in a room containing a malicious emote pack, the victim's client may send their Matrix access token to an attacker-controlled server.

The root cause is an incorrect fallback in EmojiBoard that uses untrusted user-controlled data (pack.meta.avatar) without validating it as a proper MXC URL, allowing arbitrary HTTP(S) URLs. Additionally, the service worker attaches the user's Authorization bearer token to all outbound GET requests with certain URL path fragments without verifying the request host matches the configured homeserver origin. This allows an attacker-controlled URL with permissive CORS to receive the victim's access token.

This vulnerability was fixed in Cinny version 4.10.3.

Useful 0 Not Useful 0

How can this vulnerability impact me? :

An attacker exploiting this vulnerability can obtain the victim's Matrix access token, which is a sensitive credential.

With the access token, the attacker can potentially impersonate the victim within the Matrix network, accessing private messages, sending messages on their behalf, or performing other actions allowed by the victim's permissions.

This can lead to unauthorized access to private communications and data leakage.

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

The vulnerability is fixed in Cinny version 4.10.3. The immediate step to mitigate this vulnerability is to upgrade the Cinny Matrix client to version 4.10.3 or later.

Useful 0 Not Useful 0

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

This vulnerability allows a remote authenticated attacker to obtain a victim's Matrix access token by exploiting flaws in the Cinny client. The unauthorized disclosure of access tokens can lead to unauthorized access to user data and communications.

Such unauthorized access and potential data exposure could impact compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access and breaches.

Therefore, if exploited, this vulnerability could result in violations of these standards due to compromised confidentiality and security of user data.

Useful 0 Not Useful 0

How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability involves the Cinny Matrix client sending the victim's access token to an attacker-controlled server when the emoji or sticker picker is opened in a room containing a malicious emote pack.

To detect exploitation attempts on your network or system, monitor outbound HTTP(S) GET requests that contain the path fragments '/_matrix/client/v1/media/download' or '/_matrix/client/v1/media/thumbnail' being sent to untrusted or unexpected external servers.

You can use network monitoring tools or commands such as:

• Using tcpdump to capture suspicious HTTP requests: tcpdump -i <interface> 'tcp port 80 or tcp port 443' -A | grep -E '/_matrix/client/v1/media/(download|thumbnail)'
• Using Wireshark to filter HTTP requests with the display filter: http.request.uri contains "/_matrix/client/v1/media/download" or http.request.uri contains "/_matrix/client/v1/media/thumbnail"
• Inspect browser developer tools network tab for requests matching the above paths going to unknown or attacker-controlled domains.

Additionally, verify the version of Cinny in use and ensure it is updated to 4.10.3 or later to mitigate this vulnerability.

Useful 0 Not Useful 0