Closed yangm97 closed 4 years ago
Thank you for making this archive, all organizations can learn from this event and the statements shared with us. I'm not sure we would have seen/heard all of these details otherwise, but with these disclosures, we're all given an opportunity to be honest with ourselves, review our best practices, and revise/improve what we know should already have been changed a while ago.
Get help with those updates or changes if you need it, don't ignore the issues. Those nagging voices are there for a reason.
Kudos to the devs and sys admins hard at work to get things back in order, our thoughts are with you, it definitely isn't an experience any of us want.
But let us also realize: the times have seriously changed. We all need to up our game, significantly. If you aren't already thinking these thoughts, please reconsider your position of comfort before all your base are pwned.
I'd like to point out that the Matrix.org group I think do not place security as valuable as they should : https://github.com/matrix-org/synapse/issues/4158
I know that they are busting their asses and trying to do as much as they can, including this and other security stuff, but when certain security issues (like above) are raised, and they don't get traction after months, it worries me.
I suspect this mentality is what lead to the original breach issue, as it sounds like nobody is doing any security auditing and asking "hey, why are we doing it this way? it's insecure". But I'm an outsider, and I can't be 100% sure.
I am a big fan of Matrix.org and Riot.im and all those people behind it. I want them to learn from this and hopefully plug some other serious security issues going on, because the world NEEDS Matrix.org and Riot.im. And if they don't learn from this, well that's just a modern tragedy.
Did the attacker tamper with the javascript of the web app? I've asked in the main chat, but would like an official statement on this. This would allow to compromise encrypted messaging.
they did not, based on everything we have seen so far in analysing their actions.
Could you use markdown quotes instead of code blocks to do the quoting? On mobile that means no automated linebreaks and thus a lot of scrolling sideways.
Edit: Thankies.
(i've edited the original post as per above)
Was any of the identity servers affected? I can't find anything about vector.im infrastructure. Is this the right place to ask?
And thank you for being transparent about the issues.
@ilu33 https://matrix.org/blog/2019/04/11/security-incident/
Identity server data does not appear to have been compromised
can you please give more information:
thank you!
can you please give more information:
@emdete All of that is covered in the blog post linked above.
Everything in this thread (and more) was resolved months ago; as per the plan at https://matrix.org/blog/2019/05/08/post-mortem-and-remediations-for-apr-11-security-incident/. So, I’m closing this off.
Earlier today the attacker posted some insightful issues, but since Github has suspended their account, those are now gone. This is a repost.
GitHub issues of matrix.org pieced together as one "story":
EDIT: Add archive.org links: