Missing Salamanders: Matrix Media can be decrypted to multiple valid plaintexts

The article discusses a significant security vulnerability in the Matrix protocol's handling of encrypted media in end-to-end chats. It highlights that Matrix does not implement authenticated encryption for media files, allowing attackers to potentially decrypt ciphertext using multiple keys. This flaw arises because the ciphertext is stored without proper association to its encryption parameters, leading to a situation where any key and IV can be used to decrypt the same ciphertext, resulting in numerous valid plaintexts. The author outlines the timeline of discovering and reporting the issue, culminating in a public disclosure. The article also critiques the Matrix specification for its ambiguous language regarding encryption requirements, which could lead to insecure implementations. Furthermore, it references a novel attack on AES-GCM that allows for the construction of ciphertexts that can decrypt to multiple plaintexts, emphasizing the need for stronger cryptographic practices. The author provides a proof of concept demonstrating how different file formats can be combined and encrypted, showcasing the practical implications of the vulnerability. The findings suggest that without proper authentication and verification mechanisms, the security of encrypted media in Matrix is compromised.

- Matrix protocol lacks authenticated encryption for media files, leading to security vulnerabilities.

- Attackers can decrypt ciphertext using multiple keys due to improper association with encryption parameters.

- The specification's ambiguous language may result in insecure implementations by clients.

- A novel attack on AES-GCM illustrates the potential for multiple valid plaintexts from a single ciphertext.

- The article includes a proof of concept demonstrating the practical implications of the vulnerability.