Please be aware that a Matrix / Element exploit is being used in the #grapheneos:matrix.org and #grapheneos-offtopic:matrix.org to impersonate GrapheneOS developers.
They're adding special characters to the end of a nickname not shown in Matrix clients.
Conversation
This is a fake account. It's not :matrix.org. It's incorrectly shown that way in common Matrix clients. It's part of the ongoing raids against our channels.
Most users in both channels are receiving these messages. Screenshots are from one of those users.
1
5
26
This was an early revision of the message. Later messages are using revised versions of it. They're likely going to try other nasty stuff.
Clients are displaying the account names incorrectly and it doesn't even have the extra character(s) when copying. Can't trust your client.
1
2
17
Reported this to abuse@matrix.org and security@matrix.org but it's being actively used to trick potentially hundreds of our users.
It's not at all a secret after being actively used this way and it's also fairly unlikely they discovered this. This was likely already being used.
1
4
25
Ended up receiving one of these messages ourselves so now we were able to take a closer look at it.
They're taking advantage of display names having too much flexibility to make a fake trusted UI which users think is part of their client combined with the sneaky account names.
1
1
11
They successfully tricked a lot of people this way. Display names are problematic in general as a social engineering vector, but they're using a particularly nasty way of using it to display a fake client UI. Expect this is going to be a problem we see regularly in these raids...
3
2
18
Replying to
I remember a Tweet of yours yesterday regarding a Telegram group, impersonating GrapheneOS project. I can not find it. Is the issue resolved?
1
The tweet was needed as input for an official Telegram bot used to take over a username. They let you obtain a username if you own it on 2/3 of Twitter, Facebook and Instagram. Couldn't figure out what a Facebook username would actually mean so used Instagram + Twitter for it.
It wasn't meant as a tweet for people to actually read, just Telegram's official bot / procedure for obtaining a username. We successfully obtained the username and the account was deleted to get it back.
1
2
I am happy to hear this. Another question regarding grapheneos\.tld domains in other countries. Do you prefer to leave them untouched? Or do you like them being registered and forwarded to your main domain? If someone wants to do this on courtesy & respect to your project?
1
1
Show replies