The MXCrypto.eventDeviceInfo method, used to display several encryption decorations on the timeline, uses unsafe / plaintext fields of MXEvent to fetch a relevant device. These are easily spoofable by the homeserver, see code
A better approach is to use a sender_key that should match any of our previously created sessions with this device. To access this data / fetch device by its sender_key, relevant changes need to be made in rust crypto
The
MXCrypto.eventDeviceInfomethod, used to display several encryption decorations on the timeline, uses unsafe / plaintext fields ofMXEventto fetch a relevant device. These are easily spoofable by the homeserver, see codeA better approach is to use a
sender_keythat should match any of our previously created sessions with this device. To access this data / fetch device by itssender_key, relevant changes need to be made in rust crypto