Security issue

Found an issue with the phpBB system here at NESdev? Use this forum to report problems.

Moderator: Moderators

teppIes
Posts: 6
Joined: Fri Aug 03, 2018 1:20 pm

Security issue

Post by teppIes »

Wait
Last edited by teppIes on Fri Aug 03, 2018 11:43 pm, edited 2 times in total.
User avatar
orlaisadog
Posts: 166
Joined: Thu May 31, 2018 11:12 am
Location: Bristol, England

Re: Security issue

Post by orlaisadog »

Also lidnariq (that was me)
Revenant
Posts: 462
Joined: Sat Apr 25, 2015 1:47 pm
Location: FL

Re: Security issue

Post by Revenant »

Image

I have a hard time believing that this would actually fool anybody.
User avatar
orlaisadog
Posts: 166
Joined: Thu May 31, 2018 11:12 am
Location: Bristol, England

Re: Security issue

Post by orlaisadog »

You have a different font to me :D
Attachments
Screenshot_20180803-214924.jpg
Revenant
Posts: 462
Joined: Sat Apr 25, 2015 1:47 pm
Location: FL

Re: Security issue

Post by Revenant »

Even so, I can't see an account with a single-digit post count and a 2018 registration date somehow successfully impersonating one of the site admins (or lidnariq, who registered a decade ago and has over 7,000 posts) long enough to actually accomplish anything.
User avatar
orlaisadog
Posts: 166
Joined: Thu May 31, 2018 11:12 am
Location: Bristol, England

Re: Security issue

Post by orlaisadog »

I would think that no one really looks at the stats. I'd expect most people just glance at the profile picture.
User avatar
rainwarrior
Posts: 8732
Joined: Sun Jan 22, 2012 12:03 pm
Location: Canada
Contact:

Re: Security issue

Post by rainwarrior »

You don't need special rules for l vs I, there are a lot of ways to impersonate someone's account name. Mods can just ban people for doing that, this is not a security issue.
User avatar
Dwedit
Posts: 4924
Joined: Fri Nov 19, 2004 7:35 pm
Contact:

Re: Security issue

Post by Dwedit »

Font is set to "Lucida Grande", Verdana, Helvetica, Arial, sans-serif;
So if you actually have Lucida Grande, or don't have Verdana, you get a capless I.

Meanwhile, the Post font is set to "Lucida Grande", "Trebuchet MS", Helvetica, Arial, sans-serif;
Trebuchet MS has the distinctive slanted M character, and a capless I.
Here come the fortune cookies! Here come the fortune cookies! They're wearing paper hats!
User avatar
orlaisadog
Posts: 166
Joined: Thu May 31, 2018 11:12 am
Location: Bristol, England

Re: Security issue

Post by orlaisadog »

It's still an issue. Can I get permission from a user with a (lowercase) L in their username and a moderator to see how many people I can fool by doing this and see if it needs to be changed? I have one but it would work better to use someone else's.
teppIes
Posts: 6
Joined: Fri Aug 03, 2018 1:20 pm

Re: Security issue

Post by teppIes »

What about this?
Hello. I seem to have lost my admin rights as my name isn't red anymore. Please can they be restored? Thank you

(deletes all forum posts and replaces them with spam)
User avatar
rainwarrior
Posts: 8732
Joined: Sun Jan 22, 2012 12:03 pm
Location: Canada
Contact:

Re: Security issue

Post by rainwarrior »

orlaisadog wrote:It's still an issue. Can I get permission from a user with a (lowercase) L in their username and a moderator to see how many people I can fool by doing this and see if it needs to be changed? I have one but it would work better to use someone else's.
Why do you think this is an experiment that needs to be undertaken? What do you think we need to know about this that we don't already?
Revenant
Posts: 462
Joined: Sat Apr 25, 2015 1:47 pm
Location: FL

Re: Security issue

Post by Revenant »

teppIes wrote:What about this?
Hello. I seem to have lost my admin rights as my name isn't red anymore. Please can they be restored? Thank you

(deletes all forum posts and replaces them with spam)
Which of the two other admins on this forum do you think are stupid enough to fall for this?
User avatar
Banshaku
Posts: 2417
Joined: Tue Jun 24, 2008 8:38 pm
Location: Japan
Contact:

Re: Security issue

Post by Banshaku »

Since we know the admin for ages and know their writing pattern, this is not something that would happens. For a new bbs this is a different story but for here there is not much to be concerned about.
tepples
Posts: 22708
Joined: Sun Sep 19, 2004 11:12 pm
Location: NE Indiana, USA (NTSC)
Contact:

Re: Security issue

Post by tepples »

This post is cryptic, I admit. It's intended to hint to the "guilty" party that we're on to you, while the impostor account's post count is still low, without causing too much disruption otherwise.
All users can see join dates and post counts, and with an appropriate font, capital I isn't a homoglyph.<br />Firefox ESR 52 in Debian 9, with Wine (and the MS Core Fonts) installed
All users can see join dates and post counts, and with an appropriate font, capital I isn't a homoglyph.
Firefox ESR 52 in Debian 9, with Wine (and the MS Core Fonts) installed
postcount.png (4.67 KiB) Viewed 13702 times
The comment section of Explosm.net allows setting "badges" on users, and the Discord chat platform allows setting "roles" on users. Both have been used to distinguish a regular from a homoglyph impostor. The counterpart in phpBB is the "special rank", which this board mostly uses for name change notices.

Without giving too much away: We have set phpBB to store some information about where each post came from, on the basis of legitimate interest in preventing and curing abuse. There exist ways to evade the measures we have in place, but I don't think it's quite bad enough yet to have to install stylometry software to guess identity based on writing style. Stylometry probably wouldn't do a good job anyway in the face of misattribution due to mistaken quoting markup.

Now how would you think to imitate my writing style?
teppIes
Posts: 6
Joined: Fri Aug 03, 2018 1:20 pm

Re: Security issue

Post by teppIes »

Revenant wrote:
teppIes wrote:What about this?
Hello. I seem to have lost my admin rights as my name isn't red anymore. Please can they be restored? Thank you

(deletes all forum posts and replaces them with spam)
Which of the two other admins on this forum do you think are stupid enough to fall for this?
I'm not saying anyone is stupid. I would fall for this.
Post Reply