element-hq
"System Alerts" invitation looks like a phishing attempt
The "System Alerts invited you" dialogue box looks potentially malicious, as though it was a phishing attempt from a spam attacker.
Could you clarify: was this not a phishing attempt? And if not, where can I find more info? Thanks... :)
it's not phishing; sorry for confusion. https://twitter.com/matrixdotorg/status/999991655557140481
https://github.com/vector-im/riot-web/issues/6796 has a proposed fix.
Leaving this here for now for anyone who comes to github looking for information about System Alerts.
One thing that could also help here is to reduce the number of links to just the one which needs to be clicked - currently the explosion of URL previews and the markdown'ed link make it very hard to see what you should be reading and click one, especially given the main one is hidden as a MD link rather than a standalone URL.
I'm "blocking" this on a solution to https://github.com/vector-im/riot-web/issues/6796 because I have no other way to show that there's a link between two issues while keeping them both open.
Discord seems to handle this pretty well:
- No invite, it just joins.
- No way to leave the DM
- It's a DM with the service
- The DM itself is annotated twice to indicate what it is (badge and subtext, neither of which normal DMs get)
- The composer is replaced entirely with a banner explaining what is going on, with a button to find out more
- When you receive a message, it puts up a dedicated dialog to bring you there
- The room cannot be muted or have its notification level changed
Edit: The link actually has the dialog mentioned above - https://support.discord.com/hc/en-us/articles/360036118732
This got significantly better in the last-but-one rewrite of the room list (https://github.com/matrix-org/matrix-react-sdk/pull/4253), but seems to have regressed again in the most recent one (https://github.com/element-hq/element-web/issues/29189)?
It's worth noting that, as of https://github.com/matrix-org/synapse/pull/16699, homeserver admins can configure their server notices so that users are automatically joined to the server notices room rather than having to accept an invite first, which may help to mitigate the "this looks like a phishing scam" aspect.
the EX room list also does not have any separators so i'm researching to see if that's received any feedback on whether it looks like spam or not :)
Ok... General Feedback is that server notices are confusing and it's not clear that it's a high-priority item. There's an MSC open: https://github.com/matrix-org/matrix-spec-proposals/blob/travis/msc/reporting-v2/00-user-server/proposals/4279-service-notice-rooms.md#implementation-expectations and the T&S team are looking at a whole other way to handle these from the users POV. Adding a section into the room list will not fix the underlying problem here. I propose that we link this to the V2 epic of the room list, and if there's something to be done there we will try our best. Otherwise, this should be handled with an alternative epic where sysAlerts are prioritised directly instead of lumped in with the room list :)
Adding a section into the room list will not fix the underlying problem here.
It might serve to mitigate it at least. But yes, I agree with everything you wrote :)