[openstreetmap/openstreetmap-website] User Name Spoofing (Issue #3919)
map-per
notifications at github.com
Sat Feb 4 10:29:55 UTC 2023
### Problem
It is possible to spoof users by creating fake user accounts with names that look identical to the name of the real account but use different Unicode characters.
### Description
This happened yesterday with this account:
real account: https://www.openstreetmap.org/user/limes11
fake account: https://www.openstreetmap.org/user/Iimes11
The real account starts with a lower case 'L' and the fake account starts with an upper case 'i'.
The same thing is possible with e.g. the character 'a' which looks identical in Latin and Cyrillic alphabet. There is a good summary mentioning way more problematic characters on Wikipedia (1).
A solution to this might be to check whether an account with a similar name already exists when creating a new account (looks like there already is a check that prohibits names that just differ in lower-/uppercase) or to prohibit the use of characters from more than one alphabets in new usernames.
(1) https://en.wikipedia.org/wiki/IDN_homograph_attack
### Screenshots
_No response_
--
Reply to this email directly or view it on GitHub:
https://github.com/openstreetmap/openstreetmap-website/issues/3919
You are receiving this because you are subscribed to this thread.
Message ID: <openstreetmap/openstreetmap-website/issues/3919 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstreetmap.org/pipermail/rails-dev/attachments/20230204/4acfbbec/attachment.htm>
More information about the rails-dev
mailing list