TL;DR
Hack Liberty announced it has moved its community from Matrix to SimpleX, citing persistent metadata leaks, administrator attack vectors, and protocol-level weaknesses in Matrix. The group's post summarizes passive and active risks tied to federated designs and points members to new SimpleX and XFTP server endpoints.
What happened
A post on the Hack Liberty forum explains that the community has left Matrix and migrated to SimpleX and XFTP services. The author, who says they operated public federated services (Matrix and Lemmy) for over two years, argues that Matrix’s federated design inevitably exposes metadata and grants powerful capabilities to homeserver administrators. The post lists specific data that Matrix does not protect (including message senders, timestamps, room membership events, reactions, read receipts, nicknames, and profile pictures) and outlines how a malicious server operator can both passively harvest logs and actively impersonate users or manipulate room state. It also summarizes broader protocol problems — for example, append-only event histories, unreliable redaction, optional end-to-end encryption, signature and JSON interoperability issues, and risks of split-brained rooms — and provides links and server connection strings for the new SimpleX and XFTP endpoints.
Why it matters
- Metadata leakage can expose user relationships, activity timing, and participation even when message contents are encrypted.
- Homeserver administrators retain practical abilities to read unencrypted data and perform impersonation or room-state attacks across federated rooms.
- Protocol-level design choices (append-only histories, optional encryption, inconsistent JSON canonicalization) can create long-term integrity and interoperability risks.
- Communities may shift toward alternative protocols that prioritize metadata resistance, affecting adoption and federation dynamics.
Key facts
- Hack Liberty announced it has moved to SimpleX and published SimpleX and XFTP server endpoints.
- The author says they administered public Matrix and Lemmy services for more than two years before leaving.
- The post lists categories of information Matrix’s E2EE does not protect, including senders, timestamps, join/leave events, reactions, read receipts, nicknames, and profile pictures.
- A homeserver administrator can query Synapse databases to gather logs and metadata and can take active steps like impersonating local users, changing room topics, inviting accounts, or adding devices.
- Matrix’s protocol is described as append-only, making deletions advisory (redactions) and leaving scope for retained or shared historical data.
- The write-up highlights practical risks such as spam via bots, difficulty linearizing history across servers, and the possibility of forged or inserted events.
- Interoperability issues (canonical JSON differences, signing key expiry) are cited as causes of signature-check failures and split-brain room states.
- End-to-end encryption in Matrix is optional and relies on reliable device-list updates; some metadata leakage is accepted by design for performance and UX reasons.
What to watch next
- Whether Matrix project maintainers publish responses or mitigation plans addressing the specific metadata and protocol claims: not confirmed in the source.
- Adoption and usage patterns of SimpleX by the former Hack Liberty community (the move was announced and endpoints published).
- Community reactions across federated projects and any audits or third-party reviews of the claimed vulnerabilities: not confirmed in the source.
Quick glossary
- Matrix: An open standard and protocol for decentralized, federated real-time communication used by various chat clients and homeservers.
- Federation: A network design in which multiple independently operated servers interconnect to share data and users, rather than relying on a single central server.
- End-to-end encryption (E2EE): Cryptographic protection designed so only communicating endpoints can read message contents; metadata may still be exposed.
- Homeserver administrator: An operator with administrative control over a server in a federated network, able to access logs and perform certain server-side actions.
- Metadata: Non-content information about communications, such as sender identifiers, timestamps, join/leave events, reactions, and profile attributes.
Reader FAQ
Did Hack Liberty leave Matrix entirely?
The forum post states the community moved to SimpleX and lists SimpleX/XFTP endpoints.
Are message contents unencrypted on Matrix?
Not confirmed in the source whether specific rooms had unencrypted content; the post notes Matrix supports E2EE but that significant metadata and some events are not encrypted.
What kinds of attacks does the post describe?
It details passive data collection by admins (logs, devices, IPs) and active attacks like impersonating users, changing room topics, inviting accounts, and adding devices.
Did the author provide examples or evidence?
The post references example snippets and a link with demonstrations of metadata leaks.
c0mmando 𝖎𝖑𝖑𝖚𝖒𝖎𝖓𝖆𝖙𝖊𝖉 10 Nov 2024 WE HAVE MOVED TO SIMPLEX Anyone that agrees to our Code of Conduct is welcome to join our Simplex Hack Liberty Community Room and our…
Sources
- Why We Abandoned Matrix (2024)
- We Abandoned Matrix: The Dark Truth About User Security …
- Discord replacement/alt – Open Source & Web-Based
- ADVISORY COMMITTEE ON EVIDENCE RULES April 19, …
Related posts
- YouGov poll: Majority of Europeans favor stricter social media regulation
- Beijing Tightens Rules to Keep Chatbots From Misbehaving Amid AI Worries
- HPE urges immediate patch after OneView RCE flaw rated CVSS 10.0