Posted on: 2005/8/12 12:25
Re: What do you think about new login in Xoops 2.2
does XOOPS 2.2 check for duplicate display names?
I'm really not too familiar with the new system, so I could be wrong, but i just wanted to mention this scenario:
New security threat:
Display name spoofing.
lets say Mithrandir (hypothetically) decides to change his display name. He just decides one day he wants to be called something else.
Then, some clever person out there decides to change their display name to Mithrandir... And on top of that, they send mail to different people saying: "Important bug fix! please download the new version of XOOPS here: http://mysite.com/xoops.zip"
The user goes and downloads the "patch" only to find there is a trojan horse in the php code.
Some one could also change their name to a previously used name just to get personal information from some one else. For example, even just asking for email addresses, or how the date went last night or whatever.
I said that to say, there is a certain amount of trust that people give names. But, now that trust is no longer there because these names are somewhat interchangeable. You loose the ability to tell who is who with 100% probability. This provides a security hole in which a hacker doesn't really have to do anything clever or technical (unlike before), and you could have a much bigger problem.
Even if you did have a system where you kept track of past display names, so people could not use them anymore, you could run out the namespace quickly if people frequently changed names.