New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

UX/UI could cause user confusion (and one user to confuse people into thinking they are a different user) #397

Closed
ejcx opened this Issue Mar 27, 2014 · 10 comments

Comments

Projects
None yet
4 participants
@ejcx

ejcx commented Mar 27, 2014

I created an account so that you could see what I mean.

https://keybase.io/maIgorithms , compared to https://keybase.io/chris

As you can see, I have a different twitter and github name than Chris, but my profile almost looks identical. If Chris didn't prove his site-ownership, users may easily confuse us, because my twitter handle and github handle look identical to his, due to the font chosen. I also attached some images so you can see what I mean.

mal

chris

@ejcx ejcx changed the title from UX/UI could cause user confusion (and one user to impersonate another) to UX/UI could cause user confusion (and one user to confuse people into thinking they are a different user) Mar 27, 2014

@ejcx

This comment has been minimized.

Show comment
Hide comment
@ejcx

ejcx Mar 27, 2014

I should note, I registered maigorithms by mistake on keybase, I could have registered maLgorithms, which would cause users expecting to find Chris at a consistent URL to find me (not Chris) but looking really damn close.

ejcx commented Mar 27, 2014

I should note, I registered maigorithms by mistake on keybase, I could have registered maLgorithms, which would cause users expecting to find Chris at a consistent URL to find me (not Chris) but looking really damn close.

@MattSurabian

This comment has been minimized.

Show comment
Hide comment
@MattSurabian

MattSurabian Mar 27, 2014

Spooky attack vector! 👻

FWIW on Chrome in OS X only the button and user profile have the font issue, twitter and github look ok.
screen shot 2014-03-27 at 1 45 52 pm

MattSurabian commented Mar 27, 2014

Spooky attack vector! 👻

FWIW on Chrome in OS X only the button and user profile have the font issue, twitter and github look ok.
screen shot 2014-03-27 at 1 45 52 pm

@ejcx

This comment has been minimized.

Show comment
Hide comment
@ejcx

ejcx Mar 27, 2014

Odd. Im using chrome on OSX as well and I see it just like in the screenshots I posted. Might be a version thing...or something...

My friend using Safari on OSX saw it just like in my screenshots as well.

ejcx commented Mar 27, 2014

Odd. Im using chrome on OSX as well and I see it just like in the screenshots I posted. Might be a version thing...or something...

My friend using Safari on OSX saw it just like in my screenshots as well.

@maxtaco

This comment has been minimized.

Show comment
Hide comment
@maxtaco

maxtaco Mar 27, 2014

Contributor

We're just addressing this. Our workaround for now is to present all names as lowercase. We're already dealing with the standard cyrillic homographs, but we missed this attack. Thanks for pointing it out!

Contributor

maxtaco commented Mar 27, 2014

We're just addressing this. Our workaround for now is to present all names as lowercase. We're already dealing with the standard cyrillic homographs, but we missed this attack. Thanks for pointing it out!

@ejcx

This comment has been minimized.

Show comment
Hide comment
@ejcx

ejcx Mar 27, 2014

Ahh cool. So Matt's problem was your guys fix! Cool. That was speedy.

ejcx commented Mar 27, 2014

Ahh cool. So Matt's problem was your guys fix! Cool. That was speedy.

@maxtaco

This comment has been minimized.

Show comment
Hide comment
@maxtaco

maxtaco Mar 27, 2014

Contributor

Pretty serious security bug.

Contributor

maxtaco commented Mar 27, 2014

Pretty serious security bug.

@malgorithms

This comment has been minimized.

Show comment
Hide comment
@malgorithms

malgorithms Mar 27, 2014

Contributor

Yes, this is a great example proof.

Some details:

  • the reason it looks different for @MattSurabian is that we just changed it to all lowercase, as @maxtaco said
  • we're talking now about how to avoid this kind of attack around the site/client in general.

@oxee -

  • can you change the name of that account to something other than "Chris Coyne" and my photo? I'd like to leave your demo account up while we explore presentation options, and I don't want it to cause confusion to users in the short run who are actually searching for me.
Contributor

malgorithms commented Mar 27, 2014

Yes, this is a great example proof.

Some details:

  • the reason it looks different for @MattSurabian is that we just changed it to all lowercase, as @maxtaco said
  • we're talking now about how to avoid this kind of attack around the site/client in general.

@oxee -

  • can you change the name of that account to something other than "Chris Coyne" and my photo? I'd like to leave your demo account up while we explore presentation options, and I don't want it to cause confusion to users in the short run who are actually searching for me.
@ejcx

This comment has been minimized.

Show comment
Hide comment
@ejcx

ejcx Mar 27, 2014

Sure thing Chris, I'll change the image, name, and description

ejcx commented Mar 27, 2014

Sure thing Chris, I'll change the image, name, and description

@malgorithms

This comment has been minimized.

Show comment
Hide comment
@malgorithms

malgorithms Mar 27, 2014

Contributor

ok, I think we can close this one, since we're now presenting:

  • usernames everywhere on the site in all lowercase.
  • github and twitter usernames in all lowercase on profiles and in search results (not in keybase client results, though, since we assume terminals can distinguish)

I'm glad you caught this one early. As Max said, we were limiting to a-zA-Z and figured we'd protected users from all those crazy UTF8 attacks.

Let me also add that on a personal note, I had about a 10 second heart attack during which I thought my real twitter and github accounts had both been compromised.

Contributor

malgorithms commented Mar 27, 2014

ok, I think we can close this one, since we're now presenting:

  • usernames everywhere on the site in all lowercase.
  • github and twitter usernames in all lowercase on profiles and in search results (not in keybase client results, though, since we assume terminals can distinguish)

I'm glad you caught this one early. As Max said, we were limiting to a-zA-Z and figured we'd protected users from all those crazy UTF8 attacks.

Let me also add that on a personal note, I had about a 10 second heart attack during which I thought my real twitter and github accounts had both been compromised.

@MattSurabian

This comment has been minimized.

Show comment
Hide comment
@MattSurabian

MattSurabian Mar 27, 2014

Hah! kind of the person who compromised them to open a github issue 😻

MattSurabian commented Mar 27, 2014

Hah! kind of the person who compromised them to open a github issue 😻

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment