Possible Account Impersonation Issue

Primfeed creates usernames by concatenating the first name with the last name.

This might lead to an issue. Imagine two Accounts with the following names:

Foo Barbaz

Foobar Baz

They will both be named "foobarbaz".

It's unclear to me how the application will react to that. One option is that it could lead to an account takeover.

A mitigation could be to create usernames by adding a delimiter to the username. Other applications used a dot. So in the example case this would lead to the usernames foo.barbaz and foobar.baz

It's probably too late to change the naming scheme, but still in time to get precautions in place, in case they aren't already there. (I would have made this a confidential report, but didn't spot a way to submit confidential feedback.)

--zai