You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
As we are introducing element/matrix to our organization and rely on it for day-to-day communication, we are starting to worry about a growing phishing surface.
Since we are not the only org/community that might be targeted, I'd like to collect potential weaknesses in the design of Element an Matrix and helpful comments and mitigations here. Maybe a discussion is not the right place so feel free to move it somewhere else.
This discussion could be used by organizations to find relevant phishing surfaces and raise awareness or take countermeasures.
It might also serve as a starting point for contributors who would like to improve some of these aspects.
Please anyone feel free to share your thoughts and experiences with these suggestions and add your own concerns and mitigations.
To get started:
Impersonation / CEO-fraud and similar
Users might be contacted by an attacker and tricked into believing them to be a trusted friend or member of a community or organization.
Countermeasures
Disabling or allowlisting federation on the homeserver
Warnings or labels about external users as used in emails (not implemented)
Clients or homeservers could be configured to display a label in addition to the display name based on the MXID domain, e.g. [EXTERNAL] CEO (@ceo:exmaple.com) for someone trying to phish a user of example.com.
I might have missed something but I have not seen this discussed anywhere in the element / matrix ecosystem.
In orgs (especially companies) currently running on email, users already know these types of labels and usually are aware not to trust external users.
Unlike disambiguation above, not vulnerable against typosquatting.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
As we are introducing element/matrix to our organization and rely on it for day-to-day communication, we are starting to worry about a growing phishing surface.
Since we are not the only org/community that might be targeted, I'd like to collect potential weaknesses in the design of Element an Matrix and helpful comments and mitigations here. Maybe a discussion is not the right place so feel free to move it somewhere else.
This discussion could be used by organizations to find relevant phishing surfaces and raise awareness or take countermeasures.
It might also serve as a starting point for contributors who would like to improve some of these aspects.
Please anyone feel free to share your thoughts and experiences with these suggestions and add your own concerns and mitigations.
To get started:
Impersonation / CEO-fraud and similar
Users might be contacted by an attacker and tricked into believing them to be a trusted friend or member of a community or organization.
Countermeasures
[EXTERNAL] CEO (@ceo:exmaple.com)
for someone trying to phish a user ofexample.com
.Beta Was this translation helpful? Give feedback.
All reactions