Loading Profile...
EXTREMELY CRITICAL SECURITY ISSUE
Plurk allows users with karma of 40 or above to change their display name from something different than their user name. For example, if my username is joe123, I can change my display name to just say "Joe" once I reach 40 karma.
Unfortunately there doesn't appear to be any safeguards on this to prevent users from changing their *display name* to someone else's *username*. I was able to successfully change my display name to the username of one of my friends. See this plurk thread: http://www.plurk.com/p/uy9o
While my correct user profile will display *if* someone clicks on my profile, it is still easy to misrepresent who you are using this technique and possibly getting sensitive information by other members who have been fooled.
I would suggest that Plurk turn off the feature to change a display name immediately until a fix can be put in place.
Unfortunately there doesn't appear to be any safeguards on this to prevent users from changing their *display name* to someone else's *username*. I was able to successfully change my display name to the username of one of my friends. See this plurk thread: http://www.plurk.com/p/uy9o
While my correct user profile will display *if* someone clicks on my profile, it is still easy to misrepresent who you are using this technique and possibly getting sensitive information by other members who have been fooled.
I would suggest that Plurk turn off the feature to change a display name immediately until a fix can be put in place.
I’m VERY concerned.
3
people have this problem
I have this problem, too!
Tell me when someone solves it.
The more people who report this problem, the more it gets noticed.
The more people who report this problem, the more it gets noticed.
The best solution from the company
-
Display names aren't unique and if they were they would function as nick names (which are unique). Anyway, we will take actions if this becomes a problem, but currently it functions well and users are using display names properly.
The company and 1 other person say
this solves the problem
Create a customer community for your own organization
Plans starting at $19/month
-
-
Inappropriate?Wow. Nice catch. That is a problem. I'll try to get the Plurk folks apprised of this one ASAP. -
Inappropriate?Display names aren't unique and if they were they would function as nick names (which are unique). Anyway, we will take actions if this becomes a problem, but currently it functions well and users are using display names properly.
The company and 1 other person say
this solves the problem
2 Comments Add a comment
This solves the problem
-
Thanks Amir. I will keep guard, but I suggest you keep a close eye on this. All it would take is one instance of abuse and Plurk would end up with tons of negative press (you know how the tech pundits love to jump on that sort of stuff). I would hate that because I really love Plurk. Keep up the good work. -
Don't worry, we'll go for action if it becomes a problem. Thanks for the notification thought.
-
Inappropriate?wow, so was the idea impersonating Plurk Buddy was inspired by this? I wonder? hmmm.... -
Inappropriate?I think there are two very real issues to be considered here.
1. Impersonation, there are a lot of people who have invested time and energy in building an online brand. While I'm not over protective of business brands, there are some people out there doing very good things for other people and organizations that could be compromised by one misguided person will ill will. Not good.
2. Embarrassing situations. I have a very close friend that lives in another state, her state happens to be her username. Someone else, completely innocently, has changed their nick to be the state name as well. Today I nearly sent some very personal information to the person with the nick (not the actual user) because I saw their name as a responder to a plurk and sent a private plurk from the drop down menu next to their name. I happend to look down and notice that the name was different before I hit "plurk" and avoided the mess. But, it is my opinion that I should not have to worry about accidentally sending private information to the wrong person because they chose a nick that duplicates a user name.
I hope my rambling makes sense :)
thx, sbj
I’m concerned
-
Inappropriate?I think most websites that allow display names do not bother to unique them... I'm not sure why this is an issue... nearly every site that lets you set your "real name" as your display name is bound to have overlaps. If unintentional, the userpic should help, if intentional/malicious then the user needs to be reported through normal channels. ?
Also, AFAIK you have to be "friends" to send private plurks... so it would really be quite elaborate to get "re-friended" as an imposter just to intercept private messages.
I’m confused
-
Inappropriate?I thought you had to be friends too... but... it just happend to me today... so either I'm friends with the other person and just did not know it (unlikely, but possible) or you don't have to be. Also when you send a PP from inside a thread there is no pic.
Mind you, I would encourage anyone to (as I did) double check who you are sending too before hitting send. However, that does not change the fact that sending to the wrong person is more than possible, it is very easy to do.
I’m still worried
1 Comment Add a comment
This solves the problem
-
I hadn't thought of the "within thread" context... perhaps you are allowed to PP anyone active in the thread? Seems like this should not be allowed to enforce the friendship security measure if names are going to remain non-unique. Or, simply add the unique username somewhere in that dropdown menu that contains the option to send a private plurk.
-
Inappropriate?Wow. Nice catch. That is a problem. I'll try to get the Plurk folks apprised of this one ASAP. -
Inappropriate?This is silly... on Facebook or MySpace or almost any social networking site someone can copy another person's name/picture/profile and it has never been a serious problem. Nobody's transmitting their SS# or CC# via plurk. Just protect PlurkBuddy's name or any other "official" plurkers and we'll be fine.
I’m silly
EMPLOYEE
