Skip to main content

Signed, Sealed, Stolen: How We Patched Critical Vulnerabilities Under Fire

H.2215 (Ferrer) | Day 2 | 16:00 - 16:15 | Speakers: Jade, nex

Signed, Sealed, Stolen: How We Patched Critical Vulnerabilities Under Fire
A picture of a talk at FOSDEM 2024
Open in browser
Get involved in the conversation!Join the chat

Notes

Abstract

What happens when your server starts signing messages you didn't send?

Recently, the Continuwuity project (a Rust-based Matrix homeserver) fell victim to a targeted, active exploitation campaign. Attackers leveraged two critical vulnerabilities (CVSS 9.9 and 9.3) affecting the entire ecosystem of Conduit-derived servers. By exploiting flaws in the way that servers join and leave chat rooms, attackers forced the server to cryptographically sign unexpected events, with disasterous results. This allowed them to forge "leaves" to decimate public rooms, forge ACL rules to brick them, and temporarily take over an account to exfiltrate over 5,000 messages from the maintainers' private internal chat.

In this talk, Nex and Jade will take you inside the war room during the incident. We'll walk through the attack chain, explaining how attackers tricked the server, and how we figured out what happened. We'll also have a brief look at how we hardened our project against similar exploitation in the future.

Attachments


Notice: The placeholder video image is licensed under CC BY-SA 4.0. The original image can be found hereChanges made to the image are: Cropped the image to a new ratio, part of the image was cut off.