Security release: Element X Android (0.4.12) and iOS (1.6.7)

May 15, 2024
Security

We have released security updates for Element X Android and Element X iOS to address a high-severity vulnerability. This flaw could expose server-side key backup private key material to Element's bug reporting ("rageshake") servers. The key material is only at risk when users submit a bug report from an affected Element X client while the key material is present in the application logs.

Please update your Element X clients as soon as possible to ensure the security of your communications. Even though we are now blocking bug reports from affected clients, we recommend that you refrain from submitting bug reports until you’ve updated to eliminate any risk of key material exposure.

Note that at the time of this post, we're still waiting for the Element X Android release to appear in the Play Store, but it should happen shortly.

Vulnerability information

Element X Android

Element X iOS

Root cause: CVE-2024-34353 / GHSA-9ggc-845v-gcgv

No other Element clients are affected, including Element Web/Desktop, Element Android (classic) and Element iOS (classic).

Impact

By searching the rageshake logs, we’ve determined that 156 unique Matrix IDs have been affected by this bug, resulting in their key material being leaked to the rageshake servers. This count includes 31 Matrix IDs where the evidence of impact was inconclusive, but due to potential risk factors, they are included out of an abundance of caution. Of the affected IDs, the majority are not using a homeserver operated by Element, and therefore are not impacted. We will contact all the affected users, impacted or not, as per the next steps section below.

This key is used to encrypt copies of message encryption keys stored in the user’s server-side key backup. Theoretically, this could allow Element to access encrypted message content of affected users who use Element-operated homeservers. No other party besides Element is in a position to access this encrypted data, and Element will not, under any circumstance, access encrypted data of any users.

If you are not using an Element-operated homeserver, there is no private data exposure, even if your key material was leaked, since the encrypted data is not hosted on Element’s servers. If you are using an Element-operated homeserver, even if the key material was exposed to us, we have deleted it and, in practice, your private data is still secure.

Apart from the data exposure, the same underlying bug could have resulted in a small number of corrupted keys being stored in the backup.

Next steps

To ensure the incident is fully remediated, we’ve additionally taken the following actions:

  • We will be contacting each affected user individually. We’ve asked the Matrix.org Foundation to assist with this via their @support:matrix.org account.
  • We began rejecting bug reports from affected clients on Friday, 2024-05-10, starting at approximately 10:30 AM UTC.
  • Shortly after, we deleted the private key material from the rageshake servers.
  • We are working on automatically fixing any corrupt backup data.
  • For affected users who wish to rotate their backup private keys out of an abundance of caution, we've prepared instructions on how to reset your server-side key backup from Element clients.

Detailed explanation

In Matrix, the server-side key backup stores encrypted copies of Matrix message keys. This facilitates key sharing between a user's devices and provides a redundant copy in case all devices are lost. The key backup uses asymmetric cryptography, with each server-side key backup assigned a unique public-private key pair.

Rageshakes are a feature in Element clients that allow users to report bugs to Element, which also uploads debug logs for analysis.

The root cause of the issue is a bug in the matrix-sdk-crypto crate (part of the Matrix Rust SDK project; CVE-2024-34353 / GHSA-9ggc-845v-gcgv) which caused the private part of the backup key pair to be logged to application debug logs during certain operations, making it accessible to the rageshake servers when a bug report was submitted.

Conclusion

We deeply apologise for any inconvenience this issue may have caused. Our team has taken immediate steps to address this vulnerability and prevent any future occurrences. We appreciate your patience and cooperation as we work to ensure the safety and integrity of our platform.

Please update your Element X clients as soon as the new versions become available in the app stores.

Thank you for your understanding and continued support.

Element Security

Related Posts

Cybersecurity
Disney’s Slack breach tells an important story
News of Disney’s alleged Slack breach shows what can happen when organisations trust centralised communications platforms that don’t use end-to-end encryption
Steve Loynes
14/07/2024
Security
Security release: Synapse 1.105.1
Today we are releasing Synapse
Element Security
23/04/2024
Security
Secure communications landscape is now ‘Established,’ says Forrester
The new Secure Communications Solutions Landscape Q2 2024 report, from Forrester Research, categorises Secure Communications as an ‘Established’ marketplace.
Steve Loynes
19/04/2024
Security
Meet Element R: our new unified crypto implementation
We’ve created a common cryptographic library implementation in Rust - codenamed Element R - for all our Element clients.
Archie W
27/02/2024

By the same author

Element app
Resetting the server-side key backup
What is the server-side key
Element Security
15/05/2024
Security
Security release: Synapse 1.105.1
Today we are releasing Synapse
Element Security
23/04/2024
Security
Security release: Element Android 1.6.12
Hello, Today we have released
Element Security
20/02/2024

Element is the fast, simple and private way to communicate with family, friends, teams, colleagues, organisations and the wider world.

Thanks for reading our blog— if you got this far, you should head toelement.ioto learn more!

Get started

For Web, Android, iOS, macOS, Windows & Linux