Discovering and Improving Multiple Vulnerabilities in the Globally Used Chat Tool 'Rocket.Chat' ~Scheduled to Present at Black Hat Asia 2026, a Prestigious International Conference in the Industrial Security Field~
A joint research team of NICT, Osaka University, and NEC discovered critical vulnerabilities in the E2E encryption of 'Rocket.Chat'. They proposed countermeasures, contributed to patches, and will present their findings at Black Hat Asia 2026.
📋 Article Processing Timeline
- 📰 Published: April 23, 2026 at 23:00
- 🔍 Collected: April 23, 2026 at 14:31
- 🤖 AI Analyzed: April 23, 2026 at 22:33 (8h 1m after Collected)
[Points]
■ Conducted the world's first "security evaluation from the perspective of cryptographic usage" on the globally used chat tool "Rocket.Chat"
■ Discovered critical vulnerabilities leading to "message forgery," "decryption of encrypted messages," and "prolongation of attacks," and developed countermeasure methods to evade these attacks
■ Scheduled to give a presentation at Black Hat Asia 2026 Briefings, a highly competitive international conference in the industrial security field
A joint research team consisting of the National Institute of Information and Communications Technology (NICT, President: Hideo Ohno), Osaka University (President: Atsushi Kumanogo), and NEC Corporation (NEC, President and CEO: Takayuki Morita) has conducted the world's first (according to NICT research) "security evaluation from the perspective of cryptographic usage" using the methodology of "specification analysis, implementation investigation, and proof of concept" on the on-premise chat tool "Rocket.Chat"*1, which is commercially used by approximately 12 million people worldwide. The team discovered critical vulnerabilities leading to "message forgery," "decryption of encrypted messages," and "prolongation of attacks." They designed attack scenarios utilizing these vulnerabilities ahead of hackers, verified their effectiveness, and developed countermeasure methods. The results of this security evaluation and the countermeasure methods were reported to the development company, indicating improvements for the overall protocol design.
A paper summarizing these results, which contributed to preventing attacks exploiting the vulnerabilities, has been accepted by the academic conference ACSAC 2025. Furthermore, a presentation has been decided for the Black Hat Asia 2026 Briefings (Location: Singapore, April 24), a rigorous international conference in the industrial security field, receiving high praise from both academia and industry.
[Background]
Until now, commercial chat tools have predominantly been in the Software as a Service (SaaS) format, represented by Slack and Microsoft Teams, where it is common to entrust much of the service provision and data management to the operators. However, in recent years, due to concerns regarding the management of highly confidential corporate data and the risks of cross-border data management associated with using foreign companies' SaaS, on-premise chat tools, which allow organizations to install programs on servers they manage and keep messages and user data within their own organization, have begun to attract attention.
"Rocket.Chat," an on-premise commercial chat tool, employs text message end-to-end encryption*2 as a feature to securely handle highly confidential data. While its adoption is spreading among private enterprises and foreign municipalities domestically and internationally, Rocket.Chat's end-to-end encryption had not undergone sufficient security verification due to its proprietary specifications and implementation complexity. Therefore, there was a risk of attacks via unknown vulnerabilities, necessitating urgent countermeasures.
[Current Results]
In this research, we conducted the world's first "security evaluation from the perspective of cryptographic usage" targeting the on-premise chat tool "Rocket.Chat" using the methodology of "specification analysis, implementation investigation, and proof of concept" (see Figure 1). As a result, we found that overlapping structural problems, such as insufficient coordination among multiple protocol designs, led to vulnerabilities resulting in "message forgery" and "decryption of encrypted messages." Furthermore, deficiencies in the leak mitigation function for keys*3 used for both encryption and decryption led to vulnerabilities causing "prolongation of attacks."
Regarding these vulnerabilities, we designed five specific attack scenarios to clarify the conditions under which the assumed attacks would be established. Additionally, as a proof of concept, we implemented the attack scenarios and verified that each scenario actually works.
The results of the security evaluation were reported to the development company, Rocket.Chat Technology, in May 2024, and collaboration with the company commenced. At that time, we proposed countermeasure methods to evade the discovered attacks and presented improvements for the entire protocol design. Subsequently, between October 2024 and December 2025, patch applications and functional modifications for high-impact attack scenarios were implemented (the release notes https://github.com/RocketChat/Rocket.Chat.ReactNative/releases/tag/4.51.0 include a special thanks for this collaboration).
These results have contributed to preventing attacks that exploit vulnerabilities and are highly evaluated by both academia and industry, with a presentation scheduled at the Black Hat Asia 2026 Briefings, a rigorous international conference in the industrial security field.
■ Conducted the world's first "security evaluation from the perspective of cryptographic usage" on the globally used chat tool "Rocket.Chat"
■ Discovered critical vulnerabilities leading to "message forgery," "decryption of encrypted messages," and "prolongation of attacks," and developed countermeasure methods to evade these attacks
■ Scheduled to give a presentation at Black Hat Asia 2026 Briefings, a highly competitive international conference in the industrial security field
A joint research team consisting of the National Institute of Information and Communications Technology (NICT, President: Hideo Ohno), Osaka University (President: Atsushi Kumanogo), and NEC Corporation (NEC, President and CEO: Takayuki Morita) has conducted the world's first (according to NICT research) "security evaluation from the perspective of cryptographic usage" using the methodology of "specification analysis, implementation investigation, and proof of concept" on the on-premise chat tool "Rocket.Chat"*1, which is commercially used by approximately 12 million people worldwide. The team discovered critical vulnerabilities leading to "message forgery," "decryption of encrypted messages," and "prolongation of attacks." They designed attack scenarios utilizing these vulnerabilities ahead of hackers, verified their effectiveness, and developed countermeasure methods. The results of this security evaluation and the countermeasure methods were reported to the development company, indicating improvements for the overall protocol design.
A paper summarizing these results, which contributed to preventing attacks exploiting the vulnerabilities, has been accepted by the academic conference ACSAC 2025. Furthermore, a presentation has been decided for the Black Hat Asia 2026 Briefings (Location: Singapore, April 24), a rigorous international conference in the industrial security field, receiving high praise from both academia and industry.
[Background]
Until now, commercial chat tools have predominantly been in the Software as a Service (SaaS) format, represented by Slack and Microsoft Teams, where it is common to entrust much of the service provision and data management to the operators. However, in recent years, due to concerns regarding the management of highly confidential corporate data and the risks of cross-border data management associated with using foreign companies' SaaS, on-premise chat tools, which allow organizations to install programs on servers they manage and keep messages and user data within their own organization, have begun to attract attention.
"Rocket.Chat," an on-premise commercial chat tool, employs text message end-to-end encryption*2 as a feature to securely handle highly confidential data. While its adoption is spreading among private enterprises and foreign municipalities domestically and internationally, Rocket.Chat's end-to-end encryption had not undergone sufficient security verification due to its proprietary specifications and implementation complexity. Therefore, there was a risk of attacks via unknown vulnerabilities, necessitating urgent countermeasures.
[Current Results]
In this research, we conducted the world's first "security evaluation from the perspective of cryptographic usage" targeting the on-premise chat tool "Rocket.Chat" using the methodology of "specification analysis, implementation investigation, and proof of concept" (see Figure 1). As a result, we found that overlapping structural problems, such as insufficient coordination among multiple protocol designs, led to vulnerabilities resulting in "message forgery" and "decryption of encrypted messages." Furthermore, deficiencies in the leak mitigation function for keys*3 used for both encryption and decryption led to vulnerabilities causing "prolongation of attacks."
Regarding these vulnerabilities, we designed five specific attack scenarios to clarify the conditions under which the assumed attacks would be established. Additionally, as a proof of concept, we implemented the attack scenarios and verified that each scenario actually works.
The results of the security evaluation were reported to the development company, Rocket.Chat Technology, in May 2024, and collaboration with the company commenced. At that time, we proposed countermeasure methods to evade the discovered attacks and presented improvements for the entire protocol design. Subsequently, between October 2024 and December 2025, patch applications and functional modifications for high-impact attack scenarios were implemented (the release notes https://github.com/RocketChat/Rocket.Chat.ReactNative/releases/tag/4.51.0 include a special thanks for this collaboration).
These results have contributed to preventing attacks that exploit vulnerabilities and are highly evaluated by both academia and industry, with a presentation scheduled at the Black Hat Asia 2026 Briefings, a rigorous international conference in the industrial security field.