Attacker Offers Advice to Matrix.org After Hacking Its Systems
Matrix.org had its systems hacked and its website defaced by someone who decided to disclose the security issues found during the attack.
Matrix.org develops an open source standard for secure and decentralized real-time communications. The standard can be used for instant messaging, IoT communications, and VoIP or WebRTC signaling.
The organization behind Matrix.org informed users on Thursday that someone had gained unauthorized access to its production databases, including unencrypted message data, access tokens and password hashes.
Matrix.org said the hacker had exploited a known vulnerability in the Jenkins open source automation server to hijack credentials and access its production infrastructure. The organization said homeservers other than matrix.org, source code and packages, identity servers, and Modular.im servers were not impacted.
However, it urged users to immediately change their Matrix and NickServ passwords. All users have been logged out from matrix.org and those who don’t have backups of their encryption keys may not be able to read their previous conversations.
“Forensics are ongoing; so far we’ve found no evidence of large quantities of data being downloaded. The attacker did have access to the production database, so unencrypted content (including private messages, password hashes and access tokens) may be compromised,” Matrix.org said.
Based on Matrix.org’s investigation, the attack started on March 13 and it was detected on April 10 after someone notified it of the Jenkins vulnerability. The company started cleaning up its systems, but neglected to replace a Cloudflare API key that the attacker had obtained earlier. This API key allowed the hacker on Friday to change the DNS records for matrix.org and redirect users to a GitHub page showing some of the data he had accessed.
“The API key was known compromised in the original attack, and during the rebuild the key was theoretically replaced. However, unfortunately only personal keys were rotated, enabling the defacement. We are currently doublechecking that all compromised secrets have been rotated,” Matrix.org representatives explained.
The attacker does not seem to have had malicious intentions as they created a GitHub project where they shared some of the security issues noticed during the attack and suggested some improvements. The information posted by the hacker on GitHub was removed just as this article was being written.