UX/UI could cause user confusion (and one user to confuse people into thinking they are a different user) #397

Closed
ejcx opened this Issue Mar 27, 2014 · 10 comments

Projects

None yet

4 participants

@ejcx
ejcx commented Mar 27, 2014

I created an account so that you could see what I mean.

https://keybase.io/maIgorithms , compared to https://keybase.io/chris

As you can see, I have a different twitter and github name than Chris, but my profile almost looks identical. If Chris didn't prove his site-ownership, users may easily confuse us, because my twitter handle and github handle look identical to his, due to the font chosen. I also attached some images so you can see what I mean.

mal

chris

@ejcx ejcx changed the title from UX/UI could cause user confusion (and one user to impersonate another) to UX/UI could cause user confusion (and one user to confuse people into thinking they are a different user) Mar 27, 2014
@ejcx
ejcx commented Mar 27, 2014

I should note, I registered maigorithms by mistake on keybase, I could have registered maLgorithms, which would cause users expecting to find Chris at a consistent URL to find me (not Chris) but looking really damn close.

@MattSurabian

Spooky attack vector! 👻

FWIW on Chrome in OS X only the button and user profile have the font issue, twitter and github look ok.
screen shot 2014-03-27 at 1 45 52 pm

@ejcx
ejcx commented Mar 27, 2014

Odd. Im using chrome on OSX as well and I see it just like in the screenshots I posted. Might be a version thing...or something...

My friend using Safari on OSX saw it just like in my screenshots as well.

@maxtaco
Contributor
maxtaco commented Mar 27, 2014

We're just addressing this. Our workaround for now is to present all names as lowercase. We're already dealing with the standard cyrillic homographs, but we missed this attack. Thanks for pointing it out!

@ejcx
ejcx commented Mar 27, 2014

Ahh cool. So Matt's problem was your guys fix! Cool. That was speedy.

@maxtaco
Contributor
maxtaco commented Mar 27, 2014

Pretty serious security bug.

@malgorithms
Contributor

Yes, this is a great example proof.

Some details:

  • the reason it looks different for @MattSurabian is that we just changed it to all lowercase, as @maxtaco said
  • we're talking now about how to avoid this kind of attack around the site/client in general.

@oxee -

  • can you change the name of that account to something other than "Chris Coyne" and my photo? I'd like to leave your demo account up while we explore presentation options, and I don't want it to cause confusion to users in the short run who are actually searching for me.
@ejcx
ejcx commented Mar 27, 2014

Sure thing Chris, I'll change the image, name, and description

@malgorithms
Contributor

ok, I think we can close this one, since we're now presenting:

  • usernames everywhere on the site in all lowercase.
  • github and twitter usernames in all lowercase on profiles and in search results (not in keybase client results, though, since we assume terminals can distinguish)

I'm glad you caught this one early. As Max said, we were limiting to a-zA-Z and figured we'd protected users from all those crazy UTF8 attacks.

Let me also add that on a personal note, I had about a 10 second heart attack during which I thought my real twitter and github accounts had both been compromised.

@MattSurabian

Hah! kind of the person who compromised them to open a github issue 😻

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment