What happens when your server starts signing messages you didn't send?

Recently, the Continuwuity project (a Rust-based Matrix homeserver) fell victim to a targeted, active exploitation campaign. Attackers leveraged two critical vulnerabilities (CVSS 9.9 and 9.3) affecting the entire ecosystem of Conduit-derived servers. By exploiting flaws in the way that servers join and leave chat rooms, attackers forced the server to cryptographically sign unexpected events, with disasterous results. This allowed them to forge "leaves" to decimate public rooms, forge ACL rules to brick them, and temporarily take over an account to exfiltrate over 5,000 messages from the maintainers' private internal chat.

In this talk, Nex and Jade will take you inside the war room during the incident. We'll walk through the attack chain, explaining how attackers tricked the server, and how we figured out what happened. We'll also have a brief look at how we hardened our project against similar exploitation in the future.