Element Desktop: Duplicate message index

[lanerussell]

Description

Intermittently, messages are appearing with error: ** Unable to decrypt: Error: Duplicate message index, possible replay attack. This doesn't always happen from a specific sender. Messages before and after the affected message generally appear correctly. Clicking Re-request encryption keys from your other sessions. has no effect. This happens on all 3 of my Element Desktop sessions.

In my case, these are not due to duplicate messages, they are due to actual messages from my contacts. I'm able to read these messages normally in Element Android. For reference, I set up all of my sessions by scanning the QR code with my Element Android session for verification. I have green shields with all contacts where this issue is occurring.

Steps to reproduce

• Receive message on Element Desktop
• Intermittently, messages from various senders shows error:
  ** Unable to decrypt: Error: Duplicate message index, possible replay attack

Describe how what happens differs from what you expected.

• If most messages are able to be decrypted correctly, this error should not be appearing for random messages.

Logs being sent: yes

Element Desktop:

Element Android:

Version information

• Platform: Desktop
• OS: Ubuntu 20.04
• Version: 1.7.20

[harbinger0x7c0]

I am seeing this behavior on the desktop client (windows 10) and the web client (running in Chrome), but messages which are failing to decrypt in the browser and the desktop app decrypt without issue on the Android client.

[AtomicRPM]

I am experiencing this with the desktop client as well. Another symptom i have observed is a posted image will suddenly disappear on other devices. Refreshing the cache on those devices does not force the image to reappear.

The disappearing image always preceeds the “duplicate message possible replay attack” error message.

[AtomicRPM]

I just built the latest element-web and signed into my HS and when the room was loading this appeared. This issue appears to sometime happen after an image is posted to the room.

[AtomicRPM]

Another unable to decrypt with the errors from the log.

2021-02-11 19:26:23,893 - synapse.api.auth - 340 - WARNING - GET-4656 - Unrecognised access token - not in store.
2021-02-11 19:26:23,894 - synapse.http.server - 74 - INFO - GET-4656 - <SynapseRequest at 0x7f10c14c6ee0 method='GET' uri='/_matrix/client/r0/sync?filter=0&set_presence=offline&since=s208_618_286_120_220_1_45_20_1&timeout=0' clientproto='HTTP/1.0' site='8448'> SynapseError: 401 - Unrecognised access token

2021-02-11 19:26:31,928 - synapse.http.server - 74 - INFO - GET-4679 - <SynapseRequest at 0x7f10c0982e20 method='GET' uri='/_matrix/client/r0/room_keys/version' clientproto='HTTP/1.0' site='8448'> SynapseError: 404 - No backup found

[AtomicRPM]

I am able to reproduce.

Sign in with web client.
Perform device key verification between first mobile device and web client. Rooms load and presence on mobile device shows gray shield - "The authenticity of this encrypted message can't be guaranteed on this device".
Post image from first mobile device.
Post message from first mobile device.
Unable to decrypt error message seen in web client.

Synapse version
{
"server_version": "1.26.0",
"python_version": "3.8.5"
}

Element-web 1.7.20
IOS 1.1.7

[tleydxdy]

Saw this in normal group chat as well, out of the blue, and no pictures posted before it. It was a reply tho.
Element version: 1.7.21
olm version: 3.2.1

on android it works fine

[localguru]

Same problem here. Message on Andriod App is decrypted, on Desktop Client and iOS message is encrypted with ** Unable to decrypt: Error: Duplicate message index, possible replay attack error. Re-request encryption keys from your other sessions. has no effect. This problem is reported be several users.

[localguru]

@electricOzone if you clear the cache in your desktop client, the message will be decrypted there too. Just tested it with the Linux desktop client. Hmmm ... so there must be a difference to the Andriod client, which doesn't have this problem.

[localguru]

The following clients are affected by this problem: Linux V 1.7.20, MAC V 1.7.21, iPad V 1.2.1. Clearing the cache decrypts the message on all clients.

[AtomicRPM]

Cleaning cache does not decrypt message for me. I am using the latest version of element web.

[harbinger0x7c0]

Clearing the cache in the web version does not work for me either.

[thegcat]

We also observe this issue, though I first thought this affected all other sessions other than the sending element iOS and I filed it there, see element-hq/element-ios#7376.

See element-hq/element-ios#7376 (comment) for a video reproducing the error and following discussion that this might not be an element iOS issue.

[airforceixi]

Observing the same issue. Occurs with Element on Windows, macOS, Linux, and Web. iOS appears fine. Clear cache resolved the most recent occurrence, however past messages that came through without issue are now presenting the issue when scrolling back. Occurs with BOTH users in both a direct message as well as a newly formed room.

[jacotec]

Same here! Mostly after the other party has sent a picture. Clearing cache does not solve it and it's happening with the same messages on all Desktop and Web sessions.

See my comment in #25108 ... I think it is in fact not a key issue, but an Element-Web / Desktop issue where these messages are mistakenly interpreted as a "replay attack" (which they are in fact not).

IOS and Android apps are all fine in these chats!

Unfortunately this is open since 2 years and nobody seems to care about ...

[angloromanticism]

Same issue happening. reinstalled Element desktop and continues to produce errors even after reset/reload, and total reinstall & reverify. started suddenly today, using for years.

[jittygitty]

I just got this error recently also....
""** Unable to decrypt: Error: Duplicate message index, possible replay attack: TD/M9fZ+....+ygd3iDP/U|0 **
Re-request encryption keys from your other sessions."

Apparently, it was because of a duplicate message, the person I was talking with sent me screenshot which showed that the message that gave me that error above was an exact duplicate of the previous message right above it. Now I don't know if the chat glitched and created the duplicate message itself or if he had done it accidently.

I'm using Element Desktop Element version: 1.10.10
Olm version: 3.2.8 (and by screenshot he's using some mobile one, likely Android) and we're both using accounts created on matrix.org and chatting via that server.

[neutralinsomniac]

Myself and a friend both have this issue on the exact same message. iOS shows fine, Android shows fine, element-web shows the duplicate message index error.

[tnsasse]

Same problem, iOS shows the message fine, element-desktop is unable to decrypt

{
  "type": "m.room.message",
  "content": {
    "msgtype": "m.bad.encrypted",
    "body": "** Unable to decrypt: DecryptionError: Duplicate message index, possible replay attack: grzwPC3AyZHdXgosbqC/nEguJfKRX7WGuNP4PI4KABo|0dW6mPq/CMD/Wjl0ClAsiuHtThH73iIHZBCH6A7Zh1A|3 **"
  }
}

element-desktop:

Element version: 1.11.30
Olm version: 3.2.12

[arcuru]

It looks like the likely root cause of the most common scenario has been found in element-hq/element-ios#7499

In short, there are probably 3 separate problems that would be great to fix:

• iOS Element is broken when using the iOS Share Extension
• iOS (and Android?) Element is too lenient in decrypting, and should also display an error/warning when it sees a duplicate message_index (EDIT: see the note at end of message)
• Element Web should handle this better. Don't request keys because it won't help, and probably have a button for "It's not a replay attack, show me the message". Displaying the possibly replayed message with a warning is probably better than not allowing any way to view the message, but that should be discussed in a separate issue.

EDIT: Thinking about this more, the implementation of this check itself is broken. If the contents of the message are different, and it's encrypted with the right keys, the message is obviously not a replay attack and can only be a bug in the index. The index is included in the encrypted space of the message, and this check is there only to make sure someone isn't blindly replaying old messages, (see notes in the megolm spec). The risk being mitigated is if an attacker without the keys replays an old message (index + contents), an attacker is not able to send a message with a duplicate index and different content unless they have the keys.

And if it was an attack, the attacker could just flood a room with these "Unable to decrypt" messages and render the room unusable in the client anyways, so this check is almost entirely useless as it's currently implemented in the Web client.

iOS and Android Clients seem correct in ignoring these issues, and at most should display a warning.

[einmueller]

I think the broken usage of the share extension should be fixed first, not the relaxed handling of this error in mobile clients. I'm really happy, that all of my family uses android and ios apps and don't see this bug, that would lead to support requests and discussions about "never had problems with other messengers..." sigh

[ beside: I'd like to have some -Wall feature like with gcc. All Warnings for tech persons and relaxed handling (and silent ignoring) of such errors for people who are not really interested in security at all. ]

[t3chguy]

Closing in favour of #25108

element-hq/element-ios#7499 is the cause of the actual issue

[skrap]

Closing in favour of #25108

vector-im/element-ios#7499 is the cause of the actual issue

Note that this issue is S:Major and #25108 is S:Minor, so closing this one in favor of that has effectively demoted the issue.