Please be aware that a Matrix / Element exploit is being used in the #grapheneos:matrix.org and #grapheneos-offtopic:matrix.org to impersonate GrapheneOS developers.
They're adding special characters to the end of a nickname not shown in Matrix clients.
Conversation
This is a fake account. It's not :matrix.org. It's incorrectly shown that way in common Matrix clients. It's part of the ongoing raids against our channels.
Most users in both channels are receiving these messages. Screenshots are from one of those users.
1
5
26
This Tweet was deleted by the Tweet author. Learn more
The information we have is what users have communicated to us and shown us in screenshots. Don't have all the details on what's happening ourselves.
Taking advantage of user interface design flaws to trick people is an exploit, just like using en.wikipedia.org/wiki/IDN_homog would be.
1
1
The main issue is not that they created an account called .:matrix.org but rather that they are abusing the display name in the user interface to trick people. It allows pretty much arbitrary content there and that's a problem. Abuse needs to be considered.
1
1
twitter.com/GrapheneOS/sta
Presenting the same thing as a trusted client side UI is exploiting a user interface design flaw. Just because it's a user interface design flaw doesn't make it any less of a flaw. Not everything has to be a memory corruption bug to be a vulnerability.
Quote Tweet
Basically, Element displays (@account) after an ambiguous display name but it's possible for people to add that client UI to their actual display name to trick people.
Users are used to seeing it as a trusted client UI but it's possible for someone to completely fake it instead.
Show this thread
4
This Tweet was deleted by the Tweet author. Learn more
No, because Twitter shows your actual username right under the display name and doesn't let you mimic the UI used to display it with your display name.
It never displays it as "DisplayName (@username)" and allow people to do "DisplayName ()" which is the issue here.
1
1
2
My display name is strcat. My username is :matrix.org. Since there are other users with the same display name (the virtual user for my IRC user), this is how Element displays my name in the main room. That part in parentheses is part of the Element UI.
Someone can set their display name to "strcat (:matrix.org)" and the Element UI doesn't differentiate in any way between that and the way that it shows the actual account name in parentheses like this. The trusted UI is ambiguous with untrusted UI. Real issue.
1
6