In the Librem One service aimed at use in the smartphone , right after surfaced with security that discredits the project, which is presented as a secure platform for ensuring privacy. The vulnerability was found in the Librem Chat service and allowed to enter the chat under any user, without knowing the authentication parameters.
In the used backend code, authorization via LDAP (matrix-appservice-ldap3) for the Matrix network was allowed , which turned out to be transferred to the Librem One working service code. Instead of the string "result, _ = yield self._ldap_simple_bind", it was specified "result = yield self._ldap_simple_bind", which allowed any user without authorization to enter the chat under any identifier. The developers of the Matrix project who made a mistake that the problem appeared only in the master branch "matrix-appservice-ldap3", and not in releases, but in the repository the problematic line since 2016 (maybe the operating conditions of the problem arose only after some other recent changes).
The set of Librem One services put into operation implies a paid subscription ($7.99 per month or $71.91 per year), but at the same time, existing open projects that were taken as the basis for mobile clients and server handlers for distribution under the Librem brand. For example, Librem Chat is a renamed Matrix client , Librem Social is based on , Librem Mail renamed from , Librem Tunnel borrowed from . Server components are based on
Postfix and Dovecot for Librem Mail, for Librem Chat and for Librem Social. The reason for delivering applications under other names is the desire to collect various decentralized services based on open standards (Matrix, ActivityPub, IMAP) under one recognizable brand.
Source: opennet.ru