Matrix is an open standard and protocol for real-time communication. One of the Matrix package is a reference homeserver, known as Synapse. This means that Synapse is essentially a server that organisations and communities can run, to host and access their own Matrix server. This also means that those organisations are able to control who can sign up and access that particular server.
To register on a server, the portal asks for details such as name, password, and email. The email field can be restricted to a particular domain, which is enforced through a regular expression (regex). This is particularly handy for companies wanting to only allow specific people on the server. For example, if the server is run by Facebook, they may limit registration to anyone who has a @facebook.com email address.
This is where the bypass comes in. The regex provided in the sample/commented-out configuration file in Matrix Synapse failed to terminate the regex after the intended top-level domain (TLD). What this means is that an external actor can craft an out-of-scope domain and email address, such as the one shown below.
Domain: facebook.com.sakshamanand.com
Email: [email protected]
The crafted email address above will successfully validate and authenticate non-organisation actors, resulting in information leakage and other attack vectors, depending on the server configuration. Additionally, given that this issue is present in sample documentation, it is possible that a wide range of users could have copied configurations for various Synapse servers based on this file, where the regex flaw is present.
The issue was present in a configuration entry on line 1247 of sample_config.yaml file, known as allows_local_3pids, which was also called by another functionality in the application. A suggested fix for this regex is to terminate the string after the TLD ending, and to restrict the username part of the email address, as shown below.
Original: .*@matrix\.org
Fixed: ∧[∧@]+@matrix\.org$
I reported the issue upstream to Matrix Security on 31st March 2021, and a fix was made available by the maintainers under this pull request on the same day.