Bots can be created with the same full name as existing users #1107

Closed
kevinr opened this Issue Jun 23, 2016 · 10 comments

Projects

None yet

4 participants

@kevinr
kevinr commented Jun 23, 2016 edited

...which allows the owner of the bot to impersonate them.

EDITED from discussion below. The current proposed approach to solving this problem is to modify the way bots are displayed in the frontend UI to make clear they are bots. Concrete ideas on the design wanted!

@tdickers

It's most effective if you use the same username and the same avatar. You can click on the user's avatar or name to see the email address associated (and will see xxx-bot@yyy.zz), but it's fairly effective.

The hard part in mitigating this would probably be edge cases of character like l and I (lower case 'el' and capital 'eye'), null characters, etc.

Maybe just have a config option to require all bot display names to be prefixed with the user's name?

screen shot 2016-06-23 at 3 16 53 pm

@timabbott
Member

I agree with @tdickers, because of Unicode characters that look identical to each other, it's difficult to prevent a human user from impersonating another by copying their name and avatar (potentially modulo using a very-similar-looking unicode character).

There are a few things one can do to solve the human or bot impersonation problem:

  1. Use social pressure to discourage bad behavior (usually quite effective in a work context).
  2. Set NAME_CHANGES_DISABLED to make it difficult for humans to change their names (you'll want to be using LDAP or something to set them in the first place). It might be nice to have a UI for realm admins to change users' names to go along with this setting for teams not using LDAP.
  3. Display the user's email address more prominently (kinda ugly) or switch to using a unique username (rather than an actual name) as the display name of users.
  4. Display bots differently from human users (e.g. with a nice "bot" icon next to their name). If done well, this could be a nice feature regardless, and is probably the best path forward for this issue. A variant of this would be to just require that all bot names are of the form "X Bot" :)
  5. Block users having the same name as other users, perhaps after some sort of unicode normalization. Imperfect fix.
  6. Similar to 5 but just display users with duplicate names differently (e.g. with email as well)

I think (2) and (4) are probably the most promising technical things to do here, but I'm definitely interested in thoughts!

@tdickers

NAME_CHANGES_DISABLED worked well for solving the "primary user account impersonating another" but doesn't cover the bot case.

@timabbott
Member

@tdickers @kevinr what are your thoughts on approach (4) in my list?

@tdickers

I think number 4 is the best option proposed.

@timabbott
Member

OK, edited the issue description (from Kevin's post) to note that proposal; hopefully someone will have a good idea for how to do this nicely from a design perspective.

We could consider just doing an icon on one side of the user's name; we currently use FontAwesome (http://fontawesome.io/icons/) as our main source for icons.

@timabbott timabbott modified the milestone: Likely next milestone Jul 7, 2016
@tommyip
Member
tommyip commented Dec 25, 2016

I will work on this.

@tommyip tommyip added a commit to tommyip/zulip that referenced this issue Dec 25, 2016
@tommyip tommyip Add styling to distinguish bots from human users.
Wrap bot's name inside a bootstrap label with a font-awesome
android icon.
Fixes #1107
8fc78a0
@timabbott
Member

@kevinr you may want to take a quick look at the options being discussed in #2909.

@kevinr
kevinr commented Dec 28, 2016

Wow, I'm way behind on this issue. I commented on #2909.

A couple other options:

  1. Display a user's picture whenever they're mentioned. So Hiya @Kevin Riggle! would result in "Hiya (small userpic)Kevin Riggle"
  2. Include the user's email address in the title text of their display name and picture.
@tommyip tommyip added a commit to tommyip/zulip that referenced this issue Jan 11, 2017
@tommyip tommyip Add styling to distinguish bots from human users.
Fixes #1107
54c2577
@tommyip tommyip added a commit to tommyip/zulip that referenced this issue Jan 11, 2017
@tommyip tommyip Add styling to distinguish bots from human users.
Fixes #1107
712220f
@tommyip tommyip added a commit to tommyip/zulip that referenced this issue Jan 11, 2017
@tommyip tommyip Add styling to distinguish bots from human users.
Fixes #1107
3a473bd
@brockwhittaker brockwhittaker added a commit to brockwhittaker/zulip that referenced this issue Feb 16, 2017
@tommyip @brockwhittaker tommyip + brockwhittaker Add styling to distinguish bots from human users.
Fixes #1107
55bb328
@timabbott timabbott added a commit that closed this issue Feb 17, 2017
@tommyip @timabbott tommyip + timabbott Add styling to distinguish bots from human users in message view.
With work by Brock Whittaker and Tim Abbott on rebasing + changing
styling.

Fixes #1107
abf522a
@timabbott timabbott closed this in abf522a Feb 17, 2017
@timabbott
Member

Just an update on this thread, we just merged #2909, which means we now have different styling for bot users from human users.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment