Un-authable membership events can corrupt HS room state (SYN-735)

[matrixbot]

See https://vector.im/develop/#/room/!DgvjtOljKujDBrxyHk:matrix.org/$1469181498665GNapO:kolm.io for scrollback of me trying to figure out why Yaniel can't speak in Matrix HQ.

Matrix.org seemed to get a consistent membership event for him but his HS is having none of it and will not let him join nor leave. I see a lot of the classic, "Event content has been tampered, redacting" log lines on both servers (and not for the un-authable event).

(Imported from https://matrix.org/jira/browse/SYN-735)

(Reported by @dbkr)

[matrixbot]

Jira watchers: @dbkr @richvdh

[matrixbot]

Links exported from Jira:

relates to #1574

[matrixbot]

From Dylanger:

Basically I took richvdh's identity
And his domain
Under my HS
Had his privs
Then gave myself permissions

I just changed my HS'es domain name
In YAML

So Dylanger has convinced his own HS that he has admin, and used that to generate a kick event, which has then been sent to Yaniel's, which has then accepted the kick despite the broken auth chain.

-- @richvdh

[matrixbot]

I think the spoofed event ID here is $14691813430ugbai:onedefence.com

-- @dbkr

[matrixbot]

From [~erikj]:

I don't think it was the spoof that actually caused the issues, but that auth rejected events were accidentally being inserted inserted into the state
(as opposed to events that were rejected way earlier due to bad sigs)

-- @richvdh

[richvdh]

This is probably #1935

[richvdh]

hrm... maybe not.

[richvdh]

I'm reasonably sure this has been fixed by things like #10225.