A mapper was able to rename their account to an identical username used by DWG for repairs, allowing them to revert dozens of changesets and remove the Russian language from OSM with a concerning message.
I’m not sure how this was possible, but it raises questions about account security. Is there a way to prevent this from happening again?
I must admit, I was taken aback to think that such changesets could have been initiated by someone affiliated with DWG.
I am equally shocked that the user only received a 24-hour block for their actions. This behavior should not be tolerated, and in my opinion, a user ban and automatic reversion of all changesets would have been more appropriate.
Given the scale of these changesets across the world, I anticipate there will be many comments and discussions about this today which could have been avoided.
Homograph attacks are a common problem in multilingual platforms that allow users to choose any arbitrary sequence of Unicode characters as a user name. The website developers have concluded that any solution to the problem, such as disallowing user names that are “confusable” with an existing user name, would impose too many restrictions on legitimate accounts:
@SomeoneElse, is this block the final word, or will the user be forcibly renamed if they don’t do it themselves?
We’ll deal with the damage but it might take a bit longer to repair things than to break them. And yes, the discussions about this could have been avoided if everyone on the planet was nice and friendly but sadly that is not within our powers
The account was blocked for a short time while we investigate but it is unlikely we will simply let them continue making these types of edits, so no need for you to be shocked.
As Minh has pointed out, Unicode is your oyster if you want to create lookalike usernames and it is extremely difficult to prevent that automatically. Even without Unicode tricks people have created lookalike usernames by replacing, say, a lower-case L with an upper-case I etc…
Just to clarify things:
Homographic (lookalike) attacks depend not only on the character represented by its unicode numeric value, but also on the glyphs (optical appearance) of the used font.
E.g. a upper case “I” and lower case “l” my look equal in sansserif fonts but different in serif fonts.
Therefore preempive measures are more laborious than it looks like at first glance.
My account on this site is a member of osmf-data-wg here but that isn’t shown in the “account flair” here because I turned it off; most of the time here I’m not wearing a DWG hat and I’m not representing the DWG when I say anything, except when I say:
– Andy (from the DWG)
Edit: added “, except when I say:” to try and make the last bullet point clearer.
My account on this site is a member of osmf-data-wg here but that isn’t shown in the “account flair” here because I turned it off; most of the time here I’m not wearing a DWG hat and I’m not representing the DWG when I say anything.
it would be nice to have this shown on a per post or per category basis, I also wouldn’t want to walk here around with an italy mod sign on my head, but I want to be recognizable (fellow members want it) as a mod in the italian category, and turned it back on for this reason. Maybe it could be shown automatically if you mark the post as “acting in the conferred role”.
That’s a good idea, but the challenge is where do you want that conversion to appear. The character “р” is a valid character in a Cyrillic name. Maybe anything on the site that is actually a URL, but not those places where it is literally just a display name?
I believe that rendering this in URLs would be sufficient. It would still be easy to distinguish fake accounts while leaving people’s display names unchanged. Additionally, this approach would not disrupt any other third-party tools since the display_name returned from the API would remain unaffected. It would only impact the URLs.