17 comments

[ 3.0 ms ] story [ 49.9 ms ] thread
>The vulnerability allows an attacker to manipulate a Matrix user into executing IRC commands by having them reply to a maliciously crafted message.

How can a matrix user execute commands when they are my definition not in the IRC server? Does it mean it allows the bot to execute commands?

Every (active) Matrix user in a bridged room (or portal) has a corresponsing user/connection on IRC. That is, if you join a bridged Matrix room as @charcircuit:example.com, the appservice responsible for bridging said room to IRC will open a connection with NICK/USER charcircuit to IRC (if not open already).

Effectively, appservice-irc is a multi tenant IRC client.

How much did Element pay the researcher for this find ? Element has a bug bounty program, no ?
I don't see a reference to this issue on their bug bounty page (https://app.intigriti.com/programs/matrix/matrix/detail) but it's possible that the researcher came to them directly or didn't want a reward. You'll have to ask the person who demonstrated the vulnerability.

According to their responsible disclosure page (https://matrix.org/security-disclosure-policy/) they don't generally do bug bounties. I'm not sure what their intigrity page is all about, perhaps they did in the past?

Researcher?

A click on the url to his homepage reveals that he is a backend software engineer who does volunteer work on free software and open protocols

What do you think a researcher is in this context?
(comment deleted)
Needs a white lab coat.
A person who's job it is to do research on security of software
So pay is a prerequisite and not skillset? Surely that would just be a "professional researcher", no?

And even so, does a freelance researcher "have a job", in the traditional sense?

In the infosec community, "researcher" is the noun of choice to describe anyone who has discovered a security vulnerability, no matter their motivation or experience.
Gotta be a PhD computer scientist in security at MIT else you're a poseur I guess? :)
(comment deleted)
Element currently piggybacks on the Matrix.org Foundation bug bounty programmes (which are the relevant ones here anyway, given matrix-appservice-irc is a Matrix.org project - i.e. owned by and managed by the Foundation, albeit with lots of contributions from Element employees)

Right now the Matrix.org Foundation is between bug bounties - we ran an EU funded one via Intigriti last year (https://portswigger.net/daily-swig/intigriti-launches-eu-bac...) until the funding was consumed, and I'm literally about to sign the contract on a new permanent one for the Matrix Foundation funded by Element run by YesWeHack.

EDIT: https://matrix.org/security-disclosure-policy/ will get updated when the new bounty programme is live. You can see the history of that page over at https://github.com/matrix-org/matrix.org/commits/master/gats... in terms of when bounties have come & gone over the years.

Ok, thanks for the info (so, 0$).
(comment deleted)
Is there a decent overview of commercial adoption of Matrix? i.e. what are the top 10 biggest companies using Matrix, and is there a vehicle by which they could pay for some security audits and bug bounties above and beyond the Matrix foundation?