Element iOS is vulnerable due to missing decoration for events decrypted with untrusted Megolm sessions

Vulnerability

Element iOS versions before 1.9.7 contain a vulnerability in how encrypted events are handled. Events encrypted using the Megolm protocol, for which trust could not be established (e.g., because the session key was not verified or came from an unverified device), were not decorated with warning shields in the user interface. This means a malicious homeserver could inject messages into a room without the user being alerted that the messages were not sent by a verified group member, even if the user had previously verified all group members [1], [2].

Exploitation

An attacker controlling a malicious Matrix homeserver can exploit this by injecting encrypted messages into a room using a Megolm session that is not trusted. No user interaction beyond normal use is required; the messages will be rendered without the expected trust indicators, making the user believe the messages originated from a verified group member [2].

Impact

Successful exploitation allows an attacker to impersonate verified group members in encrypted rooms. The primary impact is on message integrity and authenticity, as users may be misled into trusting messages that were not actually sent by the claimed verified user. This could lead to social engineering or other attacks leveraging false trust [2].

Mitigation

The vulnerability has been patched in Element iOS version 1.9.7, released on 2022-11-11 [1]. There are no known workarounds for unpatched versions. Users should update to 1.9.7 or later [2].