Please be aware that a Matrix / Element exploit is being used in the #grapheneos:matrix.org and #grapheneos-offtopic:matrix.org to impersonate GrapheneOS developers. They're adding special characters to the end of a nickname not shown in Matrix clients.
2
42
3
83
This is a fake account. It's not @strcat:matrix.org. It's incorrectly shown that way in common Matrix clients. It's part of the ongoing raids against our channels. Most users in both channels are receiving these messages. Screenshots are from one of those users.

Feb 28, 2021 · 4:43 AM UTC

1
4
1
26
This was an early revision of the message. Later messages are using revised versions of it. They're likely going to try other nasty stuff. Clients are displaying the account names incorrectly and it doesn't even have the extra character(s) when copying. Can't trust your client.
1
2
17
Reported this to [email protected] and [email protected] but it's being actively used to trick potentially hundreds of our users. It's not at all a secret after being actively used this way and it's also fairly unlikely they discovered this. This was likely already being used.
1
4
25
Ended up receiving one of these messages ourselves so now we were able to take a closer look at it. They're taking advantage of display names having too much flexibility to make a fake trusted UI which users think is part of their client combined with the sneaky account names.
1
1
11
They successfully tricked a lot of people this way. Display names are problematic in general as a social engineering vector, but they're using a particularly nasty way of using it to display a fake client UI. Expect this is going to be a problem we see regularly in these raids...
3
2
18
Basically, Element displays (@account) after an ambiguous display name but it's possible for people to add that client UI to their actual display name to trick people. Users are used to seeing it as a trusted client UI but it's possible for someone to completely fake it instead.
2
1
13
This tweet is unavailable
The information we have is what users have communicated to us and shown us in screenshots. Don't have all the details on what's happening ourselves. Taking advantage of user interface design flaws to trick people is an exploit, just like using en.wikipedia.org/wiki/IDN_ho… would be.
1
1