Element – The New(ish) Kid On The Block
Element came to my attention a few years ago. I had heard people in the privacy community talking about it. I wanted to see from both an OSINT and Privacy perspective what I could find out, what was freely available to be discovered.
Since 2016, Element has been known in other guises such as, Riot & Vector and is a client based on the Matrix protocol. Matrix operates on a decentralised network and can be self hosted or fully managed. Element now appears to have settled on its name and has been gaining popularity.
Element is available on the Web, Android, iOS, Mac, Windows & Linux desktop. It is aimed towards organisations / businesses in a similar way to Slack and like Slack it is free for personal use. Element uses the encryption implemented within the Matrix open standard, this enables personal E2EE messaging. You can encrypt a room however this does not appear to be recommended.
I am going to talk about the free version of Element mainly the matrix.org server. When you sign up you’ll need to choose a server, the default is matrix.org. You only need to provide a username and password when signing up. You can provide an email to sign up for account recovery and it is then optionally whether you make it discoverable to your contacts. You may be asked as part of the sign up to provide an email for verification purposes, but you can delete it as soon as you are set up. You cannot use a mobile number to sign up but you can add one to your account if you so wish and make that discoverable too.
You can use Element to communicate with other chat platforms, including Slack, Signal, Telegram, Facebook Messenger, Google Hangouts, Skype, Discord, Signal, Twitter and even iMessage.
For the purpose of this blog I used a mixture of, Linux, Windows, Android & iOS, as I wanted to see the differences in functionality.
Researching Element outside of an account is not as easy as it is with Telegram or Discord.
I liken the layout & usability of Element as similar to Telegram, which I use quite a bit. If you have ever used the web version or desktop app of Telegram then you will be at home searching on Element.
You can search via, keyword, name, user-id, email address or mobile number, albeit, as I explain later, it isn’t always straight forward. You can also search for rooms and search within a room. You are able to search globally for people and rooms and it does differ depending on which device and OS you use.
When searching for a room via a keyword, the rooms are ranked in order of how many members a room has. Once in a room you can then start exploring, however this setting will determine whether you can see the history of the room.
You are able to explore the settings of a room, so you would be able to see who has been banned from a room for instance.
You will see that you can discover people on other platforms who may not actually be on Element. t2bot.io is a public bot for Matrix which allows it to bridge to Telegram & Discord etc. So you won’t be surprised to hear that you can find similar groups and content on Element as you can find on Telegram and Discord. Element is also integrated with Gitter, which is the messenger app for Gitlab & Github. The owner’s of Element also own Gitter.
If you wanted you could use Element as a search engine for Discord, Gitter, Telegram, Twitter etc. Something else to remember is that room owners can implement their own bridges that are not based on t2.bot.io.
Within the account settings, is a setting called Discovery and this is where users will find the Identity Server. This allows a user to be discoverable by their email or mobile number if they have linked them to Element. Discovery is disabled by default, the default server is vector.im. Turning Discovery on will not automatically mean that a user’s email and mobile are discoverable, the account holder must give separate permissions for this, as tested on an Android device.
On both Android & iOS you can sync your contacts with the identity server. The following explains how the identity server works,
‘You can look up a Matrix ID by searching for its associated Third Party Identifiers. You cannot look up Third Party Identifiers by searching for their associated Matrix ID. For example: if Alice has used the Identity Server to link her email, alice@example.com with her Matrix ID, @example:matrix.org, other users can look up her Matrix ID by querying the Identity Server with her email address, but they cannot discover her email address by querying the service with her Matrix ID.’
You are able to search across servers for people and rooms. As mentioned matrix.org is the default server. It is worth noting the below, when you search within your account you will see the below servers user-ids.
When logged into an account you can use the the global search bar or the search options of either searching for a room or a person.
I didn’t find the global search function for people particularly effective on the web or desktop version. You can search Element for rooms or people, in the person options you can search by keyword too. Good if you are looking for a user who may have a keyword like Osint in their display name or user-id.
Below is an example of how the t2bot.io has found users on Twitter & Discord using Osint as a keyword.
Along with the display name, username, and profile image you will also see a user-id. What I can say is that the user-id, is correct for the Twitter & Discord accounts.
Searching for rooms offered more consistent results and was straight forward, however I noticed that only my iOS showed me the status of people in a room.
The native search facility on Element I found poor and it does not always show you the person you are looking for, you can see profile images, display names and usernames. If you know the username or email address of the person then Element will let you send them a DM, if they have enabled Discovery.
As I say, inputting an identifier into the global search bar will not necessarily find the user you are looking for. You will frequently be presented with the below: –
I believe that this reflects potentially the privacy settings, especially for those on matrix.org who have not enabled, Discovery.
In a personal chat you are able to share you location with someone and vice-versa. I haven’t explored this side of Element yet.
You can read more about location sharing here: –
When you join a room there is a drop down menu that contains the following:-
· People lets you see who is already in the room, with the option to invite others to join.
· Files gives you instant access to the shared files in the room.
· Export chat lets you download the conversation in a room and export it to HTML, Plain Text and JSON formats.
· Share room gives you a way to invite multiple people to the room, via a QR code or social media.
· Room settings gives you a series of advanced room setting options.
Please note, as a room member you can only amend a few settings of a room, such as notifications.
In the room you can look at the members, some will have some interesting details available, as in their logged in sessions.
You can also see those sessions which contain some interesting OSINT information.
What you can see from the above is the session(s) that a user is logged in to. Not all the session maybe live though, they may have simply forgot to delete old sessions from their settings menu. Due to the way Element will ask you to log-in after a period of inactivity, you can end up with numerous sessions. The information you see will also be determined by this setting, which is off by default: –
I have noticed in my own settings that the device I am currently using appears as the top device, however I have not been able to determine how they are ranked when looking at my sessions form another account.
One matter to note, users can rename their sessions, so bear that in mind when you see information such as the name of an device or OS.
In a room you can also see a member’s, profile image, display name & user-id. A user can change their profile name but not user-id.
You can also search the chat / room you are currently in or across all of the chats / rooms you are a member of. You just need to select the spyglass icon in the top right hand menu and the search by your chosen keyword.
If we know how the URL is structured then we can access rooms that are public from a browser without being logged in. The below room setting will determine whether you can access a room in this way, this is set by the admin.
You will be shown as a guest when not logged in. Always double check that you have the URL correct for any query, as Element will prompt you to sign in and you may not realise that you have made a mistake with the URL.
As I have said not all rooms that are publicly visible, will have, guest access enabled, and you may be asked to sign-in. You also need to check that Element simply hasn’t noted your behaviour as suspicious. This would mean starting afresh, with a new browser, IP and maybe device.
The URL structure for searching rooms is: –
https://app.element.io/#/room/#/NAME-OF-ROOM:matrix.org
However the last part, : will depend on the name of the server, the above example is matrix.org. The URL is not necessarily the same as the actual room name, it all depends how the admin has created their, ‘Published Addresses.’
If you do not know the name of a room, type in, https://app.element.io/#/room/#/:matrix.org into the address bar and it will still bring up the global search bar, where you are able to search by keyword.
Sometimes rooms that are public, that I was able to access from the web one day, I have suddenly been presented with the sign-up / sign-in prompt. That said, if you come across this you will still be presented with the facility to search for public rooms and you can then just use the global search bar to find the room you initially wanted but was stopped by the sign in prompt. If this fails, think of refreshing your session and look at any OPSEC measures such as a VPN, change your server location if necessary.
Even though the below gives you the facility to search for people, selecting this option will present you with the sign-in / create an account prompt.
My initial research theory is that Element doesn’t want you to be able to search for users without being logged in. The URL structure for a user appears like this: –
The numbers at the end appear to be random but what I did notice, when I inserted a user-id I knew existed into the URL, I was shown the circle of doom and a log-out prompt. When I tried a username that I had absolutely no idea, existed or not I was shown a 404 error.
As a guest on the web version you are still able to see most of what you could if you were signed in. A couple of things I have found is that you are not able to access the files and there is no spy glass. As you can see from the below image, it is still the same menu as the one I showed you earlier, when I was logged in. You can export the chat as a guest.
When you are logged in, and in a room or a chat you will see these icons in the top right.
If you are not logged in and using the browser you only see these icons.
Element rooms and members profile images do not appear to be consistent in size, if you access then from the group chat, what I have found is that you able to manipulate the URL structure. The below is for image that is 30 x 30. You can enlarge these to 100 x 100.
Alternately you can remove the, &method=crop, from the end of the URL. It appears 500 x 500 is the largest image you can obtain.
I have seen profile images of 451 x 451, one way to obtain a profile image this size, is to go to the settings drop down menu and select members, click on the member of interest and then right click – and open the image in new tab.
Once you have your profile image then you can start reverse image searching it.
An example of such: –
Right click on the profile image and either save it, so that you can manually reverse image search it or use the extension Search by Image.
Google & Yandex found a match. Top Tip, Yandex is good for researching Telegram.
The advantage of searching without being logged in, is that you are able to view more rooms without the need to join. I know what you are thinking, that can’t be right but it is, as I will show you below. It is because you do not have a Matrix user-id, and as such you can only view the rooms. If you were logged into your account you would have a Matrix user-id and this would then come down to the room settings as to whether they are viewable.
As you can see from the below two screen shots, the first one is not logged in using the web, which allows me to view public rooms.
The second screen shot is me logged in however I can only join the same rooms.
Not logged in: –
Logged in: –
It all depends on whether the admin of a room has enabled the below setting: –
Clearly being able to view rooms not logged in is an advantage from an OPSEC perspective.
There is one overarching issue that I found, that may alter the above, I found some very strange behaviour from Element, in what it would allow me to view sometimes and not others, my best guess is that because Element, is aimed at privacy and security, its algorithms picks up on suspicious behaviour and adapts accordingly, especially when using the web or desktop app not logged in. My use of a VPN may also have been an issue. Android & iOS offered more consistent usability as tends to be the case with mobile apps.
Another Top Tip when creating sock puppet accounts, you will have far less issues using a mobile device.
As a result of not being logged in, you may not get done everything you need to in one visit, You may have to regroup, change you IP, browser and even device and go again.
As a guest you are given a guest @usernumber, one way to see if you have got yourself a new session is to see if the @usernumber has changed.