Help get this topic noticed by sharing it on Twitter, Facebook, or email.
I’m VERY concerned.

EXTREMELY CRITICAL SECURITY ISSUE

Plurk allows users with karma of 40 or above to change their display name from something different than their user name. For example, if my username is joe123, I can change my display name to just say "Joe" once I reach 40 karma.

Unfortunately there doesn't appear to be any safeguards on this to prevent users from changing their *display name* to someone else's *username*. I was able to successfully change my display name to the username of one of my friends. See this plurk thread: http://www.plurk.com/p/uy9o

While my correct user profile will display *if* someone clicks on my profile, it is still easy to misrepresent who you are using this technique and possibly getting sensitive information by other members who have been fooled.

I would suggest that Plurk turn off the feature to change a display name immediately until a fix can be put in place.
3 people have
this problem
+1
Reply