I created an account so that you could see what I mean.
https://keybase.io/maIgorithms , compared to https://keybase.io/chris
As you can see, I have a different twitter and github name than Chris, but my profile almost looks identical. If Chris didn't prove his site-ownership, users may easily confuse us, because my twitter handle and github handle look identical to his, due to the font chosen. I also attached some images so you can see what I mean.
I should note, I registered maigorithms by mistake on keybase, I could have registered maLgorithms, which would cause users expecting to find Chris at a consistent URL to find me (not Chris) but looking really damn close.
Spooky attack vector! 👻
FWIW on Chrome in OS X only the button and user profile have the font issue, twitter and github look ok.
Odd. Im using chrome on OSX as well and I see it just like in the screenshots I posted. Might be a version thing...or something...
My friend using Safari on OSX saw it just like in my screenshots as well.
We're just addressing this. Our workaround for now is to present all names as lowercase. We're already dealing with the standard cyrillic homographs, but we missed this attack. Thanks for pointing it out!
Ahh cool. So Matt's problem was your guys fix! Cool. That was speedy.
Pretty serious security bug.
Yes, this is a great example proof.
Sure thing Chris, I'll change the image, name, and description
ok, I think we can close this one, since we're now presenting:
I'm glad you caught this one early. As Max said, we were limiting to a-zA-Z and figured we'd protected users from all those crazy UTF8 attacks.
Let me also add that on a personal note, I had about a 10 second heart attack during which I thought my real twitter and github accounts had both been compromised.
Hah! kind of the person who compromised them to open a github issue 😻