We are super excited about our Librem One launch, if you can’t tell, but to make things even more exciting, we also have hit a different milestone with the service: our first security bug! We believe in transparency in general and especially when it comes to security. Security bugs happen in all software and services and our stance is the best approach is not just to address security issues as soon as possible but to be up front and alert you to security issues as soon as possible.
One of our keen community members rae discovered a severe security vulnerability in the Librem Chat service that allowed them to login to our chat server as any user. This is obviously a serious vulnerability and so we immediately shut down that chat server while we investigated.
It turns out the bug was related to a change that was made in the unreleased “master” branch of the matrix-appservice-ldap3 plugin being used by Librem Chat to authenticate users over LDAP. The bug ultimately came down to a mistake in a single line of code in a function related to LDAP searches:
- result = yield self._ldap_simple_bind(
+ result, _ = yield self._ldap_simple_bind(
What a difference an underscore makes. See https://twitter.com/matrixdotorg/status/1123298776725303299 for the security notice from the Matrix team
First it’s important to discuss what this bug didn’t impact. All other Librem One services including Tunnel, Mail, and Social were not impacted by this bug. It was an authentication bug specifically with the Librem Chat service.
Fortunately this bug occurred early in the service launch before too many customers were using chat. We shut down chat immediately upon confirming the bug and the overall outage lasted about 30 minutes while we investigated and patched. We have also taken the precautionary step of removing all existing access tokens, which required any clients that were logged in to re-authenticate.
We do not have any indication of any malicious exploitation of the bug, and any attempts to access a user’s chat encryption keys would have resulted in a prompt on your own chat client to approve the access from a new device. If you did happen to see that prompt on your account, click the “Ignore” link in the notification and contact us at Purism support. If an attacker did manage to login to your chat account, they would have been able to send chat messages as you and also see your chat account details, including your current client’s IP, if they looked at your account privacy settings.
To check whether someone successfully logged in as you, go to your Librem Chat settings and scroll down to the Devices section. You should only see your Mobile device listed, unless you also logged into Librem Chat via a web client or other client. If you see any other device in that list (in particular a riot.im device) and you did not use that device yourself, then select that device and delete it. If you have any questions about this issue, please contact our support team.