Cinny Matrix Client Access Token Disclosure Vulnerability via Malicious Emote Pack

A vulnerability in Cinny, a Matrix client, prior to version 4.10.3, allows remote authenticated attackers to access victims' Matrix access tokens. This occurs when a victim, sharing a room with the attacker and having permissions to create room emotes, opens the emoji or sticker picker for a room containing a malicious emote pack. The vulnerability arises from an improper handling of user-controlled avatar URLs in the EmojiBoard, which can be exploited to send access tokens to an attacker-controlled server. Additionally, the service worker incorrectly attaches the user's Authorization header to certain outbound GET requests without verifying the request host, enabling the interception of access tokens by exploiting permissive CORS on the attacker-controlled server.

Impact

Exploitation of this vulnerability leads to unauthorized disclosure of the user's Matrix access token to an attacker-controlled server.

Remediation

Users can update to Cinny version 4.10.3 or later to address this vulnerability.