Here we maintain a list of security researchers and their findings, to recognize them for having responsibly disclosed security issues to us in the past.
If you think you've found a security issue relating to Element software or infrastructure, please see our Security Disclosure Policy on how to report it to us.
2024-02-01 - Element Android - Pietro "suidpit" Tirenna, Davide "TheZero" Silvetti and Abdel Adim "smaury" Oisfi from Shielder
Discovered a method to force Element Android into sharing internal files via a locally installed malicious app (CVE-2024-26132 / GHSA-8wj9-cx7h-pvm4).
2024-02-01 - Element Android - Pietro "suidpit" Tirenna, Davide "TheZero" Silvetti and Abdel Adim "smaury" Oisfi from Shielder
Found an intent redirection vulnerability in Element Android where a locally installed malicious app could start any internal activity (CVE-2024-26131 / GHSA-j6pr-fpc8-q9vm).
2023-11-28 - gitter.im - Yasser Ezzat
Discovered a very old Gitter client version pulling updates directly from an unclaimed S3 bucket.
2022-09-17 - Element iOS - Josh Enders
Discovered a FaceID bypass in Element iOS. Fixed in Element iOS 1.9.7.
2022-08-23 - Element iOS - Cyastis Volantis
Discovered issue with PIN screen being bypassable by opening the application in landscape mode. Fixed in Element iOS 1.9.1.
2022-05-12 - Element clients - Rex Kim (@rexouflage)
Reported an RTLO injection issue allowing an attacker to construct a link appearing to lead to an URL while actually leading to another. Fixed in Element iOS 1.8.17 and Element Android 1.4.18. Mitigated in Element Desktop 1.11.1 by enabling link tooltips.
2022-01-31 - Element Desktop - s1r1us and TheGrandPew
Remotely triggerable host program execution with user interaction, caused by an outdated Electron dependency. Depending on the host environment, full RCE may be possible. Fixed in Element Desktop 1.9.7 and tracked as GHSA-mjrg-9f8r-h3m7 / CVE-2022-23597.
2021-09-17 - Element iOS - The UK's National Cyber Security Centre (NCSC)
JavaScript code execution when previewing user file attachments in Element iOS before 1.6.8 on iOS 12 and earlier. Fixed in Element iOS 1.6.8.
2021-05-21 - Element Android - Aaron Raimist and an anonymous security researcher
Discovered that Element Android was disclosing the filename of end-to-end encrypted attachments to the homeserver. Fixed in Element Android 1.1.8.
2021-01-07 - Element iOS - Andrea Spacca
Element iOS crash via an invalid content payload. Fixed in Element iOS 1.1.4.
2020-09-09 - New Vector Infrastructure - Pritam Mukherjee
Misconfigured X-Frame in New Vector internal infrastructure could lead to Clickjacking
2020-08-14 - Element - awesome-michael from Awesome Technologies
An issue where encrypted state events could break incoming call handling. Fixed in Element 1.7.5
2020-07-29 - Element - 0x1a8510f2
An issue where Element Android was leaking PII. Fixed in Element Android 1.0.5
2020-07-20 - Element - SakiiR
An issue where an unexpected language ID in a code block could cause Element to crash. Fixed in Element 1.7.3
2020-06-18 - Element - Sorunome
An issue where replying to a specially formatted message would make it seem like the replier said something they did not. Fixed in Element 1.7.3
2019-04-22 - Riot/Android - Julien Thomas from Protektoid Project
Obsolete and buggy ContentProvider in Riot/Android meant that a malicious local app could compromise account data. Mitigated here.