Kwanan nan an fitar da labarin cewa an gano masu rauni (CVE-2021-40823, CVE-2021-40824) a yawancin aikace -aikacen abokin ciniki don dandalin sadarwa mara kyau Matrix, wanda ke ba da damar samun bayanai game da maƙallan da ake amfani da su don canja wurin saƙonni a cikin tattaunawar ƙarshen-zuwa-ƙarshe (E2EE).
Mai kai hari wanda yayi sulhu da ɗaya daga cikin masu amfani daga hira iya decrypt saƙonnin da aka aika a baya ga wannan mai amfani daga aikace -aikacen abokin ciniki mai rauni. Yin aiki mai nasara yana buƙatar samun dama ga asusun mai karɓar saƙo kuma ana iya samun damar duka ta hanyar ɓarna sigogi na asusu da kuma yin kutse cikin uwar garken Matrix ta hanyar da mai amfani ke haɗawa.
An ambata cewa raunin ya fi haɗari ga masu amfani da ɗakunan hira da aka ɓoye wanda aka haɗa sabar Matrix mai sarrafa maharan. Masu gudanar da irin waɗannan sabobin na iya ƙoƙarin kwaikwayon masu amfani da sabar don katse saƙonnin da aka aika don yin taɗi daga aikace -aikacen abokin ciniki mai rauni.
Ularfafawa ana haifar da kurakurai masu ma'ana a cikin aiwatar da injin don ba da damar sake samun maɓallan shawarwari a cikin abokan ciniki daban -daban da aka gano. Ayyukan aiwatarwa akan matrix-ios-sdk, matrix-nio, da dakunan karatu na libolm ba su da rauni ga rauni.
Haka kuma rauni yana bayyana a cikin duk aikace -aikacen da suka ari lambar matsala y ba sa shafar tsarin Matrix da Olm / Megolm kai tsaye.
Musamman, batun yana shafar babban abokin ciniki Element Matrix (tsohon Riot) abokin ciniki don yanar gizo, tebur, da Android, da aikace-aikacen abokin ciniki na ɓangare na uku da ɗakunan karatu, kamar FluffyChat, Nheko, Cinny, da SchildiChat. Matsalar ba ta bayyana a cikin abokin aikin iOS na hukuma ba, kuma ba a cikin Chatty, Hydrogen, mautrix, purple-matrix da aikace-aikacen Siphon.
Yanzu ana samun siginar facin abokan cinikin da abin ya shafa; don haka ana neman a sabunta shi da wuri kuma muna neman afuwa kan rashin jin dadin. Idan ba za ku iya haɓakawa ba, yi la'akari da ajiye abokan ciniki masu rauni a layi har sai kun iya. Idan abokan ciniki masu rauni suna kan layi, ba za a iya yaudarar su don bayyana maɓallan ba. Ana iya dawo dasu lafiya akan layi da zarar an sabunta su.
Abin takaici, yana da wahala ko ba zai yiwu a sake gano lokutan wannan harin tare da daidaitattun matakan log da ke kan abokan ciniki da sabobin. Koyaya, tunda harin yana buƙatar lalata lissafi, masu gudanar da sabar gida na iya son yin bitar rajistan ayyukansu don kowane alamun samun dama.
Maɓallin musanya mai mahimmanci, a cikin aiwatar da abin da aka gano rauninsa, yana ba da damar abokin ciniki wanda ba shi da makullin don ɓoye saƙo don neman maɓalli daga na'urar mai aikawa ko wasu na'urori.
Misali, wannan damar ya zama dole don tabbatar da yanke tsoffin saƙonni akan sabon na'urar mai amfani ko kuma idan mai amfani ya rasa maɓallan data kasance. Ƙayyadaddun yarjejeniya ta tsara ta hanyar tsoho don kar a amsa buƙatun buƙatun kuma don aika su ta atomatik kawai zuwa tabbatattun na'urori na mai amfani ɗaya. Abin takaici, a cikin aiwatarwa na zahiri, ba a cika wannan buƙatun ba kuma ana aiwatar da buƙatun aika maɓallan ba tare da tantance na'urar da ta dace ba.
An gano raunukan a yayin binciken tsaro na abokin ciniki na Element. Gyaran yanzu yana samuwa ga duk abokan ciniki masu wahala. An shawarci masu amfani da su gaggauta shigar da sabuntawa da cire haɗin abokan ciniki kafin shigar da sabuntawa.
Babu wata shaidar yin amfani da raunin rauni kafin sakin bita. Ba shi yiwuwa a tantance gaskiyar farmaki ta amfani da daidaitaccen abokin ciniki da rajistan ayyukan sabar, amma tunda harin yana buƙatar yin ɓarna da asusun, masu gudanarwa na iya yin nazarin kasancewar logins masu ƙima ta amfani da rajistan ayyukan tabbatarwa a kan sabobin su, kuma Masu amfani za su iya kimanta jerin na'urorin da aka haɗa da asusun su don sake haɗawa da canje -canjen matsayin amana.
Source: https://matrix.org