DWG username impersonation

A mapper was able to rename their account to an identical username used by DWG for repairs, allowing them to revert dozens of changesets and remove the Russian language from OSM with a concerning message.

I’m not sure how this was possible, but it raises questions about account security. Is there a way to prevent this from happening again?

I must admit, I was taken aback to think that such changesets could have been initiated by someone affiliated with DWG.

I am equally shocked that the user only received a 24-hour block for their actions. This behavior should not be tolerated, and in my opinion, a user ban and automatic reversion of all changesets would have been more appropriate.

Given the scale of these changesets across the world, I anticipate there will be many comments and discussions about this today which could have been avoided.


woodрeck_reрair | OpenStreetMap is impersonating @woodpeck’s bot account using an old trick: replacing the Latin letter “p” with the Cyrillic letter “р”.

Homograph attacks are a common problem in multilingual platforms that allow users to choose any arbitrary sequence of Unicode characters as a user name. The website developers have concluded that any solution to the problem, such as disallowing user names that are “confusable” with an existing user name, would impose too many restrictions on legitimate accounts:

@SomeoneElse, is this block the final word, or will the user be forcibly renamed if they don’t do it themselves?


Understood. Then let’s prioritize “Impersonation” as a top offense that results in an automatic ban. Without appropriate consequences, some mappers might be tempted to use this technique again.

I’d be totally shocked if this user here could just take back their previous username like nothing happened.


I support that. The changeset comments are appalling.


We’ll deal with the damage but it might take a bit longer to repair things than to break them. And yes, the discussions about this could have been avoided if everyone on the planet was nice and friendly but sadly that is not within our powers :wink:

The account was blocked for a short time while we investigate but it is unlikely we will simply let them continue making these types of edits, so no need for you to be shocked.

As Minh has pointed out, Unicode is your oyster if you want to create lookalike usernames and it is extremely difficult to prevent that automatically. Even without Unicode tricks people have created lookalike usernames by replacing, say, a lower-case L with an upper-case I etc…


No - that was just enough of a block to get us into today. I’ve extended it and translated it.


Would it be an idea to preemptively create such accounts as with Woodpeck and block those at the same time?

1 Like

Just to clarify things:
Homographic (lookalike) attacks depend not only on the character represented by its unicode numeric value, but also on the glyphs (optical appearance) of the used font.
E.g. a upper case “I” and lower case “l” my look equal in sansserif fonts but different in serif fonts.

Therefore preempive measures are more laborious than it looks like at first glance.


OK, so would a look-alike filter be possible for key accounts… “Hello this name is not acceptable, please use a different one”.

1 Like

A couple more points:

  1. I would like tools like OSMCha to explicitly highlight DWG members. There is a non-obvious filtering mechanism, but I think many people want to see edits with DWG rollbacks. It is worth contacting the developers of these tools. upd: Highlight DWG member accounts · Issue #675 · mapbox/osmcha-frontend · GitHub
  2. But for this, DWG participants must have a tag on their account.
    @woodpeck Why is your OSM account not labeled as a moderator?:frowning: Like mavl | OpenStreetMap

Maybe not only DWG accounts. There are also a couple of “repair/revert accounts” operated from normal community members.

1 Like

Taking me as an example:

– Andy (from the DWG)

Edit: added “, except when I say:” to try and make the last bullet point clearer.

1 Like

My account on this site is a member of osmf-data-wg here but that isn’t shown in the “account flair” here because I turned it off; most of the time here I’m not wearing a DWG hat and I’m not representing the DWG when I say anything.

it would be nice to have this shown on a per post or per category basis, I also wouldn’t want to walk here around with an italy mod sign on my head, but I want to be recognizable (fellow members want it) as a mod in the italian category, and turned it back on for this reason. Maybe it could be shown automatically if you mark the post as “acting in the conferred role”.


I believe that a proper solution would involve using punycodes (just like in some secure browsers).

woodрeck_reрair (fake) then becomes xn--woodeck_reair-e8kg


woodpeck_repair (real) becomes woodpeck_repair

so it’s backwards compatible.


That’s a good idea, but the challenge is where do you want that conversion to appear. The character “р” is a valid character in a Cyrillic name. Maybe anything on the site that is actually a URL, but not those places where it is literally just a display name?

  1. It won’t save you from: l I 0 O
  2. Many nicknames have non-Latin characters

One thing to note is that it’s not completely 100% backward compatible.

For example, Polish names and names with special characters may render differently.

Włodek becomes xn--wodek-k7a.

Perhaps there is already a solution specific to username cases based on punycodes?

Punycodes are primarily designed for URL hostnames, but they happen to work well for usernames. However, there is still room for improvement.

1 Like

I believe that rendering this in URLs would be sufficient. It would still be easy to distinguish fake accounts while leaving people’s display names unchanged. Additionally, this approach would not disrupt any other third-party tools since the display_name returned from the API would remain unaffected. It would only impact the URLs.


This is a very strange decision.

In this case, the only thing that an ordinary participant can rely on is the date the account was created and the activity of the account.

If the user doesn’t know which accounts the DWG uses, then their punicode won’t help them in any way: they don’t know the moderators real nicknames. (They’re not even here Data Working Group - OpenStreetMap Foundation)


I agree with this. The moderator flair is intended to distinguish moderators, yet moderators are using accounts that do not have this branding, which leads to confusion.