Matrix decentralized messaging platform developers about emergency shutdown of servers ΠΈ (the main client of Matrix) in connection with the hacking of the project infrastructure. The first shutdown took place last night, after which the servers were , and the applications are rebuilt from reference sources. But a few minutes ago the servers were second time.
Attackers on the main page details about the server configuration and whether they have a database with hashes of nearly five and a half million Matrix users. As evidence, a hash of the password of the leader of the Matrix project has been posted in the public domain. Changed website code in the attackers' repository on GitHub (not in the official matrix repository). Details on the second hack so far .
After the first hack by the Matrix team, it was published , which indicates that the hack was carried out through a vulnerability in the unupdated Jenkins continuous integration system. After gaining access to the Jenkins server, the attackers intercepted the SSH keys and were able to access other infrastructure servers. It was stated that the source code and packages were not affected by the attack. The attack also did not affect the Modular.im servers. But the attackers gained access to the main DBMS, which contains, among other things, unencrypted messages, access tokens, and password hashes.
All users were ordered to change their passwords. But in the process of changing passwords in the main Riot client, users with the disappearance of files with backup copies of keys to restore encrypted correspondence and the inability to access the history with past messages.
Recall that the platform for organizing decentralized communications is presented as a project that uses open standards and pays great attention to ensuring the security and privacy of users. Matrix provides end-to-end encryption based on its own protocol, including the Double Ratchet algorithm (also used as part of the Signal protocol), supports search and unlimited viewing of correspondence history, can be used to transfer files, send notifications, evaluate presence of the developer in online, organization of teleconferences, making voice and video calls. It also supports such advanced features as typing notification, read confirmation, push notifications and server-side search, synchronization of client history and status, various identifier options (email, phone number, Facebook account, etc.).
Supplement: continued with a description of the second hack, information about the leak of PGP keys, and an overview of the security issues that led to the hack.
Sourceopennet.ru
[:in]Matrix decentralized messaging platform developers about emergency shutdown of servers ΠΈ (the main client of Matrix) in connection with the hacking of the project infrastructure. The first shutdown took place last night, after which the servers were , and the applications are rebuilt from reference sources. But a few minutes ago the servers were second time.
Attackers on the main page details about the server configuration and whether they have a database with hashes of nearly five and a half million Matrix users. As evidence, a hash of the password of the leader of the Matrix project has been posted in the public domain. Changed website code in the attackers' repository on GitHub (not in the official matrix repository). Details on the second hack so far .
After the first hack by the Matrix team, it was published , which indicates that the hack was carried out through a vulnerability in the unupdated Jenkins continuous integration system. After gaining access to the Jenkins server, the attackers intercepted the SSH keys and were able to access other infrastructure servers. It was stated that the source code and packages were not affected by the attack. The attack also did not affect the Modular.im servers. But the attackers gained access to the main DBMS, which contains, among other things, unencrypted messages, access tokens, and password hashes.
All users were ordered to change their passwords. But in the process of changing passwords in the main Riot client, users with the disappearance of files with backup copies of keys to restore encrypted correspondence and the inability to access the history with past messages.
Recall that the platform for organizing decentralized communications is presented as a project that uses open standards and pays great attention to ensuring the security and privacy of users. Matrix provides end-to-end encryption based on its own protocol, including the Double Ratchet algorithm (also used as part of the Signal protocol), supports search and unlimited viewing of correspondence history, can be used to transfer files, send notifications, evaluate presence of the developer in online, organization of teleconferences, making voice and video calls. It also supports such advanced features as typing notification, read confirmation, push notifications and server-side search, synchronization of client history and status, various identifier options (email, phone number, Facebook account, etc.).
Supplement: continued with a description of the second hack, information about the leak of PGP keys, and an overview of the security issues that led to the hack.
Source: opennet.ru
[:]