Possible Account Impersonation Issue
complete
Z
Zai Lynch
Primfeed creates usernames by concatenating the first name with the last name.
This might lead to an issue. Imagine two Accounts with the following names:
Foo Barbaz
Foobar Baz
They will both be named "foobarbaz".
It's unclear to me how the application will react to that. One option is that it could lead to an account takeover.
A mitigation could be to create usernames by adding a delimiter to the username. Other applications used a dot. So in the example case this would lead to the usernames foo.barbaz and foobar.baz
It's probably too late to change the naming scheme, but still in time to get precautions in place, in case they aren't already there. (I would have made this a confidential report, but didn't spot a way to submit confidential feedback.)
--zai
Log In
Luke Rowley
complete
This is now fixed :) The handhandlesle are now including a dot between the first and last names. Thank you so much for this!
Luke Rowley
in progress
Fullperm Alpha
Upvoted.
Luke Rowley
planned
Luke Rowley
under review
I had a discussion with a LL employee, and they told me that name colliding isn't a thing on SL. Do you have an example of collision between two names?
zhutra Resident
Luke Rowley Hi Luke, I think they are referring to the username for their URLs. In this example, even though their resident names are different, their username for Primfeed would be the same
Z
Zai Lynch
Luke Rowley Zhutra is correct. The issue is within the conversion from Second Life username to Primfeed username.
Second life usernames consist of a first name and a last name. The most common last name is "Resident" (and SL sometimes hides that name). But older accounts can have different last names. A full list is here:
So there are currently 11372 different last names in total. Some are rather short, so for example one last name is "Ra" or "Li", etc.
You'll find a variety of valid last names in the list that end in "ra", e.g.:
Altamura, Anatra, Aura, Avalira, Avora, Balestra, Bandalora, Barbara, Barrera, Batra, ...
Now depending on the choice of first name, two different SL account names would transform to the same Primfeed username. E.g. taking "Ra" and "Aura" as last name examples, you may have SL names:
"Centau Ra"
"Cent Aura"
And both would transform to "centaura" in Primfeed.
It would now be an exercise of patience or scripting to identify all possible name collisions and to check them against the SL user database to see if there are accounts named like that, but given the size of the user database, it's safe to assume that there will be collisions there.
I would guess that it's a rather rare occurrence for Primfeed since many old SL accounts are now abandoned. But the consequences might be problematic, in case accounts collide, so better to build some save guard in the code in case it is not already there.
Luke Rowley
Zai Lynch: Your comment makes perfect sense, thank you for that. I will definitely make sure it doesn't happen with the Display name update.