> we found a known backdoor in how matrix encryption is implemented
Oh wow!! I wonder what it is
> admin can obtain an access token for your account and register a new device
...eh.
Validate and sign your encryption keys, use end-to-end encryption, folks. You really should do this, as this prevents this kind of attack. You cannot trust the admin, and so, it is your responsibility to manage your keys. Hilarious to say this, but matrix has a great UX around this.
As a disclaimer, I'm saying this as an admin of the matrix instance, and as someone who found and reported an issue in Matrix' media encryption spec several years ago.
But yeah, matrix not encrypting emoji reactions is extremely cringe.