Skip to content
Snippets Groups Projects
Select Git revision
  • master default protected
  • test-ci protected
  • pr-1855/Integral-Tech/nheko/fix-html
  • pr-1838/ReillyBrogan/nheko/nheko-optional-kirigami
  • gh-readonly-queue/master/pr-1825-27683bedc41375ac97ddf87ce430fd98aac9fc7c
  • pr-1815/p12tic/nheko/workaround-bad-well-known
  • hideAllPins
  • pr-1760/nishanthkarthik/nheko/theme
  • pr-1732/nishanthkarthik/nheko/search-space
  • pr-1728/Bubu/nheko/scrollable_welcome_page
  • fixCirrusCI
  • pr-1725/checkraisefold/nheko/win_d3d11_qml
  • pr-1719/Lymkwi/nheko/feature/media-captioning
  • betterimageview
  • win_d3d11_qml
  • fixswitch
  • glitchtext
  • gitlab_as_runner protected
  • quickswitchclose
  • devicelist
  • v0.12.0 protected
  • v0.11.3 protected
  • v0.11.2 protected
  • v0.11.1 protected
  • v0.11.0 protected
  • v0.10.2 protected
  • v0.10.1-1 protected
  • v0.10.1 protected
  • v0.10.0 protected
  • v0.9.3 protected
  • v0.9.2 protected
  • v0.9.1-1 protected
  • v0.9.1 protected
  • v0.9.0 protected
  • v0.8.2 protected
  • v0.8.2-rc2 protected
  • v0.8.2-RC protected
  • v0.8.1 protected
  • v0.0.1 protected
  • v0.8.0 protected
40 results
Search by author
  • Any Author
  • **** **** project_2_bot_819836bae514503967234115b088b90b
  • Joe Donofry Joe Donofry redsky17
  • Loren Burkholder Loren Burkholder LorenDB
  • Nicolas Werner Nicolas Werner deepbluev7
4 authors
This project is mirrored from https://github.com/Nheko-Reborn/nheko.git. Pull mirroring updated .
  1. Oct 05, 2022
  3. Oct 03, 2022
  5. Oct 02, 2022
  7. Oct 01, 2022
  9. Sep 30, 2022
  11. Sep 28, 2022
    • Nicolas Werner's avatar
      Make clazy happy · bffa0115
      Nicolas Werner authored
      Verified
      bffa0115
    • Nicolas Werner's avatar
      Merge branch 'v0.10.2-fixes' · 2fde381a
      Nicolas Werner authored
      Verified
      2fde381a
    • Nicolas Werner's avatar
      Bump version to 0.10.2 · 031a1295
      Nicolas Werner authored
      View commits for tag v0.10.2 v0.10.2 Verified
      031a1295
    • Nicolas Werner's avatar
      Prevent the homeserver from inserting malicious secrets · 67bee15a
      Nicolas Werner authored 
      Correctly verify that the reply to a secrets request is actually coming
from a verified device. While we did verify that it was us who replied,
we didn't properly cancel storing the secret if the sending device was
one of ours but was maliciously inserted by the homeserver and
unverified. We only send secret requests to verified devices in the
first place, so only the homeserver could abuse this issue.

Additionally we protected against malicious secret poisoning by
verifying that the secret is actually the reply to a request. This means
the server only has 2 places where it can poison the secrets:

- After a verification when we automatically request the secrets
- When the user manually hits the request button

It also needs to prevent other secret answers to reach the client first
since we ignore all replies after that one.

The impact of this might be quite severe. It could allow the server to
replace the cross-signing keys silently and while we might not trust
that key, we possibly could trust it in the future if we rely on the
stored secret. Similarly this could potentially be abused to make the
client trust a malicious online key backup.

If your deployment is not patched yet and you don't control your
homeserver, you can protect against this by simply not doing any
verifications of your own devices and not pressing the request button in
the settings menu.
      Verified
      67bee15a
    • Joe Donofry's avatar
      If and Else blocks were backwards · 9010acd9
      Joe Donofry authored and Nicolas Werner's avatar Nicolas Werner committed
      Verified
      9010acd9
    • Joe Donofry's avatar
      Make sure there are no spaces in the status string · e6bbe74a
      Joe Donofry authored and Nicolas Werner's avatar Nicolas Werner committed
      Verified
      e6bbe74a