Last modified: 2011-12-24 22:49:10 UTC
If you try to create an account that is similar to an existing one (such as me trying to create "SöWhy"), the software will check for existing usernames (here "SoWhy") and disallow creation of the account. On the other hand, if you create the account "SöWhy" on another project that the "SoWhy"-account does not exist yet, you can then auto-create the account on the wiki the "SoWhy" account already exists, thus creating an impersonation account despite the measures set in place to prevent this. Example: - http://toolserver.org/~vvv/sulutil.php?user=SoWhy - http://toolserver.org/~vvv/sulutil.php?user=S%C3%B6Why Regards, SoWhy
AntiSpoof does not work with CentralAuth currently. This could work on two ways: by blocking the account autocreation if there's a local account with similar name, or by blocking registration if there is a similarly named global account. I think the later is preferable.
Blocking autocreation would probably not work without heavy modifications, also that would still allow impersonation of prominent users on little known side projects, for example by claiming to be an en-wiki admin on en-wikiversity. On a side note, AntiSpoof probably needs to be improved as well, as seen in the recent attack of impersonation accounts on en-wiki. For example, AntiSpoof does not block the creation of usernames with a single character changed unless that character is similar to the changed one ("SöWhy" is blocked but "SüWhy" is not). On a short username like mine, a change of a character is easily noticed but if the username has 15+ characters or if the username is complicated, many people will not notice the change, so it would probably be good if AntiSpoof checked how much the new username has in common with existing ones.
(In reply to comment #1) > AntiSpoof does not work with CentralAuth currently. > > This could work on two ways: by blocking the account autocreation if there's a > local account with similar name, or by blocking registration if there is a > similarly named global account. > > I think the later is preferable. Changed bugsummary accordingly (In reply to comment #2) > not). On a short username like mine, a change of a character is easily noticed > but if the username has 15+ characters or if the username is complicated, many > people will not notice the change, so it would probably be good if AntiSpoof > checked how much the new username has in common with existing ones. I'm not sure how valid this request is (even just FoobarLand and FoobarBand are very different imho), but you could request this, as a seperate bug.
Moved and assigned per BugTriage.
Removing from 1.18 deployment blocker but bumping priority to compensate.
Sam, is this something you can look into?
r106805, r106808 were prequisite work (refactoring etc) r106809 and r106812 then build on that, and use the stuff Some more updating in r106813, r106816 to bring the maintenance script into recent shape and create a CA script for it also Pushing bug back into CA component, as it's done essentially on the CA side
Some other bits of cleanup work also done to AntiSpoof Need to do a bit of testing to check it
*** Bug 15545 has been marked as a duplicate of this bug. ***
Marking as fixed!