Matrix Compromised Through Known Jenkins Flaws

Written by

Matrix users are encouraged to change their passwords after an unauthorized actor gained access to the servers hosting Those using IRC bridging are also encouraged to change their NickServ passwords.

An open network for secure, interoperable, decentralized, real-time communication over IP, Matrix is used across instant messaging, VoIP/WebRTC signaling and internet of things (IoT) communication, according to the company’s website.

On April 9, 2019, security researcher Jaikey Sarraf alerted Matrix to existing vulnerabilities in Jenkins, which Matrix said it used for continuous integration. “The version of Jenkins we were using had a vulnerability (CVE-2019-1003000, CVE-2019-1003001, CVE-2019-1003002) which allowed an attacker to hijack credentials (forwarded ssh keys), giving access to our production infrastructure.”

When Matrix identified that machines had been compromised, the company removed Jenkins and reportedly denied the attacker access to the compromised machines.

Matrix updated the security incident notice today, stating: “At around 5am UTC on Apr 12, the attacker used a cloudflare API key to repoint DNS for to a defacement website ( The API key was known compromised in the original attack, and during the rebuild the key was theoretically replaced. However, unfortunately only personal keys were rotated, enabling the defacement. We are currently double checking that all compromised secrets have been rotated.

“The rebuilt infrastructure itself is secure, however, and the DNS issue has been solved without further abuse. If you have already changed your password, you do not need to do so again.”

Noting that no home servers besides have been affected, the company said, “The intruder had access to the production databases, potentially giving them access to unencrypted message data, password hashes and access tokens. The hacker exploited a vulnerability in our production infrastructure (specifically a slightly outdated version of Jenkins).”

All users were logged out of, and “the home server has been rebuilt and is running securely; bridges and other ancillary services (e.g. this blog) will follow as soon as possible. home servers have not been affected by this outage,” the security incident notice stated.

The investigation remains ongoing, but thus far there has been no evidence that large quantities of data were downloaded, though “the attacker did have access to the production database, so unencrypted content (including private messages, password hashes and access tokens) may be compromised.”

What’s hot on Infosecurity Magazine?