Please be aware that a Matrix / Element exploit is being used in the #grapheneos:matrix.org and #grapheneos-offtopic:matrix.org to impersonate GrapheneOS developers.
They're adding special characters to the end of a nickname not shown in Matrix clients.
Conversation
This is a fake account. It's not :matrix.org. It's incorrectly shown that way in common Matrix clients. It's part of the ongoing raids against our channels.
Most users in both channels are receiving these messages. Screenshots are from one of those users.
1
5
26
This Tweet was deleted by the Tweet author. Learn more
The information we have is what users have communicated to us and shown us in screenshots. Don't have all the details on what's happening ourselves.
Taking advantage of user interface design flaws to trick people is an exploit, just like using en.wikipedia.org/wiki/IDN_homog would be.
The main issue is not that they created an account called .:matrix.org but rather that they are abusing the display name in the user interface to trick people. It allows pretty much arbitrary content there and that's a problem. Abuse needs to be considered.
1
1
twitter.com/GrapheneOS/sta
Presenting the same thing as a trusted client side UI is exploiting a user interface design flaw. Just because it's a user interface design flaw doesn't make it any less of a flaw. Not everything has to be a memory corruption bug to be a vulnerability.
Quote Tweet
Basically, Element displays (@account) after an ambiguous display name but it's possible for people to add that client UI to their actual display name to trick people.
Users are used to seeing it as a trusted client UI but it's possible for someone to completely fake it instead.
Show this thread
4