Riot Web 1.6.3 - a security update, shortcuts, toasts (and rageshakes)

Hello everyone!

We’ve released a few updates for Riot today, grouped under the logically titled 1.6.3 (guess what the previous update was called...more on that later). Heads up that 1.6.3 is a security update, so please upgrade - many thanks to Quentin Gliech for reporting a vulnerability in single sign-on (SSO) deployments where Riot could be confused into sending authentication details to an attacker-controlled server.  We are not aware of this being abused in practice. Thanks to Quentin for responsibly disclosing via Matrix’s Security Disclosure Policy.

Shortcuts

There are a couple of new keyboard shortcuts: ‘Shift’ + ‘Page Up’ now magically transport you to your last unread message in a room, which has proved very popular in testing. Cmd/Ctrl + ‘Shift’ + ‘U’ is also new and gives you a slightly faster way to upload.

Just in case you don’t know already, the full shortcuts guide is available within your Riot client by clicking Settings/Help & About (under the FAQ).

Alternatively, to see all the available shortcuts, press ‘Cmd’ + ‘/’ on macOS or ‘Ctrl’ + ‘/’ on Windows and Linux (a shortcut for shortcuts, how very meta!).

Notifications

Given we’re all still working from home, it could be confusing to say we’ve been making a lot of toast. To be clear, we’re talking pop-up notifications.

View-blocking banner-style notifications have gone; replaced by breadcrumbs of tasty toast that are thankfully free from dripping butter.

Rageshakes are back!

The wild complexity of default end-to-end encryption and cross-signing created a minor snafu for rageshakes... they didn’t work anymore because they were expecting a bit of code that we’d removed as we jumped into the new world.

Amusingly we didn’t spot the problem with rageshakes for a few days because, well, there were no rageshakes about the rageshakes not working. Kafkaesque 🤯.

Anyway, it’s fixed now (along with a small issue around key backup restore)!

Our take on the rageshake

In case you’re not familiar with rageshakes, they automatically spring to life when you shake your phone. It’s a neat feature, because the Etch-A-Sketch moment of shaking your phone in response to a problem is very natural. It’s one of our favourite UX bits of Riot :)

The way a rageshake kicks in at the moment of the issue means the app can send the immediate logs in the context of the problem.

The rageshake invites you to submit your logs (see the screenshot) so we can analyse issues and fix them. Most issues are related to people being on an older version of Riot, or an issue with their own hosting but some end up as a required fix, and we track them as a public issue (here’s the one for rageshakes). Fear not, rageshakes themselves stay private!

Some people are a little reticent to submit their logs (they can contain your username, the IDs or aliases of rooms/groups visited and the usernames of other users - they do not contain messages or encryption keys or plaintext), which is why it’s optional. We’re also working on enabling people to see the logs they will submit before sending. Broadly though, people are happy to submit their rageshake logs and they are super useful, so thank you!

We normally get around 45 rageshakes a day, across Android and iOS. We get about 15 ‘submit debug logs’ via web/laptop/desktop clients (you can do this via the Settings / Help and About menu). Obviously they aren’t physical rageshakes and thankfully so; that would be anger management territory.

Rageshakes give us a great way of tracking issues as they crop up, and dealing with them quickly. So thank you for submitting rageshakes and keep them coming!

Further reading

Here’s our summary bullets from 1.6.3:

  • Fixed vulnerability around SSO
  • Added more shortcuts to jump to read marker and upload a file
  • Fixed notification tray icon stability for desktop
  • Fixed several bugs in the cross-signing bootstrap process
  • Converted older banner-style UI for updates etc. to newer toasts

Heads up that the rageshake fix was actually in 1.6.2 which we didn’t blog about at the time as it was a quick fix. For the full changelogs, as always, please visit the release notes for riot-web, matrix-react-sdk and matrix-js-sdk - and to check out the code, head over to Github.