Bitcoin Forum
November 09, 2024, 05:24:54 PM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: [Solved] Invisible character in usernames / Being added to trust list  (Read 1041 times)
EcuaMobi (OP)
Legendary
*
Offline Offline

Activity: 1876
Merit: 1475



View Profile
September 17, 2015, 05:20:21 PM
Last edit: November 18, 2015, 01:17:28 PM by EcuaMobi
 #1

Lately several users have created apparently blank usernames (on several encodings, not all of them) using the character
Code:
URL-encoded version:
Code:
%C2%9D

This character can also be used to impersonate another user by appending it at the end (or other position) which can cause security problems. It should be explicitly forbidden to use.

To test it I created this fake account of myself:
https://bitcointalk.org/index.php?action=profile;u=555622

In the meanwhile be extremely careful when trading with newbies with accounts matching older members.
🏰 TradeFortress 🏰
Bitcoin Veteran
VIP
Legendary
*
Offline Offline

Activity: 1316
Merit: 1043

👻


View Profile
September 17, 2015, 05:21:26 PM
 #2

I've reported this bug like 2 years ago.
bad_char1
Newbie
*
Offline Offline

Activity: 8
Merit: 0


View Profile
September 17, 2015, 05:29:05 PM
 #3

I've reported this bug like 2 years ago.

It's a feature Angry
everaja
Hero Member
*****
Offline Offline

Activity: 490
Merit: 500


~ScapeGoat~


View Profile
September 17, 2015, 05:33:36 PM
 #4

EcuaMobi is always on something unique..
anyways I had already reported such cases in 2014 when i joined here..
even if you use few characters that are not supported by SMF , it will work the same as you wrote in op.

EcuaMobi (OP)
Legendary
*
Offline Offline

Activity: 1876
Merit: 1475



View Profile
September 17, 2015, 05:39:20 PM
 #5

I've reported this bug like 2 years ago.
EcuaMobi is always on something unique..
anyways I had already reported such cases in 2014 when i joined here..
even if you use few characters that are not supported by SMF , it will work the same as you wrote in op.

I didn't realize about this until today, I guess I'm late then but it's worth pushing the subject. Only basic characters that are guaranteed to be visible on every charset should be allowed for usernames.
I noted this character is completely invisible in my Chrome but I can see it in the titlebar of Firefox (although not on the page itself). It surely depends on the browser, language and specific used charset.
cakir
Legendary
*
Offline Offline

Activity: 1274
Merit: 1000


★ BitClave ICO: 15/09/17 ★


View Profile WWW
September 17, 2015, 06:05:18 PM
 #6

Damn, that's why I see the last 3 names (that automatically added) on my trust list:



                  ,'#██+:                 
              ,█████████████'             
            +██████████████████           
          ;██████████████████████         
         ███████:         .███████`       
        ██████               ;█████'      
      `█████                   #████#     
      ████+                     `████+    
     ████:                        ████,   
    ████:    .#              █     ████   
   ;███+     ██             ███     ████  
   ████     ███'            ███.    '███, 
  +███     #████           ,████     ████ 
  ████     █████ .+██████: █████+    `███.
 ,███     ███████████████████████     ████
 ████     ███████████████████████'    :███
 ███:    +████████████████████████     ███`
 ███     █████████████████████████`    ███+
,███     ██████████████████████████    #███
'███    '██████████████████████████    ;███
#███    ███████████████████████████    ,███
████    ███████████████████████████.   .███
████    ███████████████████████████'   .███
+███    ███████████████████████████+   :███
:███    ███████████████████████████'   +███
 ███    ███████████████████████████.   ███#
 ███.   #██████████████████████████    ███,
 ████    █████████████████████████+   `███
 '███    '████████████████████████    ████
  ███;    ███████████████████████     ███;
  ████     #████████████████████     ████ 
   ███#     .██████████████████     `███+ 
   ████`      ;██████████████       ████  
    ████         '███████#.        ████.  
    .████                         █████   
     '████                       █████    
      #████'                    █████     
       +█████`                ██████      
        ,██████:           `███████       
          ████████#;,..:+████████.        
           ,███████████████████+          
             .███████████████;            
                `+███████#,               
poeEDgar
Sr. Member
****
Offline Offline

Activity: 299
Merit: 250



View Profile
September 17, 2015, 06:57:43 PM
 #7

Hmm, yeah it seems at the moment that tweaking my trust list causes a bunch of these to appear:

Quote from: Gavin Andresen
I woulda thunk you were old enough to be confident that technology DOES improve. In fits and starts, but over the long term it definitely gets better.
EcuaMobi (OP)
Legendary
*
Offline Offline

Activity: 1876
Merit: 1475



View Profile
September 17, 2015, 07:01:46 PM
 #8

Hmm, yeah it seems at the moment that tweaking my trust list causes a bunch of ~ to appear.

Yes the same happens here :/ If I enter just 'DefaultTrust' and hit save I get this:


Damn, that's why I see the last 3 names (that automatically added) on my trust list:
https://i.imgur.com/oXoouhN.png


Did you get those 3 last lines automatically?
Besides that did you exclude my (real) account manually or was it added automatically too?
cakir
Legendary
*
Offline Offline

Activity: 1274
Merit: 1000


★ BitClave ICO: 15/09/17 ★


View Profile WWW
September 17, 2015, 07:09:37 PM
 #9

Hmm, yeah it seems at the moment that tweaking my trust list causes a bunch of ~ to appear.

Yes the same happens here :/ If I enter just 'DefaultTrust' and hit save I get this:


Damn, that's why I see the last 3 names (that automatically added) on my trust list:
https://i.imgur.com/oXoouhN.png


Did you get those 3 last lines automatically?
Besides that did you exclude my (real) account manually or was it added automatically too?
I've added your account manually and the last 3 lines were auto added.
(Ps: I don't intend to distrust you, it was about something else Smiley )


                  ,'#██+:                 
              ,█████████████'             
            +██████████████████           
          ;██████████████████████         
         ███████:         .███████`       
        ██████               ;█████'      
      `█████                   #████#     
      ████+                     `████+    
     ████:                        ████,   
    ████:    .#              █     ████   
   ;███+     ██             ███     ████  
   ████     ███'            ███.    '███, 
  +███     #████           ,████     ████ 
  ████     █████ .+██████: █████+    `███.
 ,███     ███████████████████████     ████
 ████     ███████████████████████'    :███
 ███:    +████████████████████████     ███`
 ███     █████████████████████████`    ███+
,███     ██████████████████████████    #███
'███    '██████████████████████████    ;███
#███    ███████████████████████████    ,███
████    ███████████████████████████.   .███
████    ███████████████████████████'   .███
+███    ███████████████████████████+   :███
:███    ███████████████████████████'   +███
 ███    ███████████████████████████.   ███#
 ███.   #██████████████████████████    ███,
 ████    █████████████████████████+   `███
 '███    '████████████████████████    ████
  ███;    ███████████████████████     ███;
  ████     #████████████████████     ████ 
   ███#     .██████████████████     `███+ 
   ████`      ;██████████████       ████  
    ████         '███████#.        ████.  
    .████                         █████   
     '████                       █████    
      #████'                    █████     
       +█████`                ██████      
        ,██████:           `███████       
          ████████#;,..:+████████.        
           ,███████████████████+          
             .███████████████;            
                `+███████#,               
EcuaMobi (OP)
Legendary
*
Offline Offline

Activity: 1876
Merit: 1475



View Profile
September 17, 2015, 07:18:19 PM
 #10

I've added your account manually and the last 3 lines were auto added.
(Ps: I don't intend to distrust you, it was about something else Smiley )
I was asking because if I manually type this:


I automatically get this:


My main account is excluded and those blank accounts are included! So it's concerning if the first can appear automatically and the second is one 'Update' click away. Although maybe you got my fake account just because you had added my real account before anyway. Can an admin check into this?
--Encrypted--
Copper Member
Legendary
*
Offline Offline

Activity: 924
Merit: 1007

hee-ho.


View Profile
September 17, 2015, 08:28:13 PM
 #11

just tried clicking update with only DT on my trust list.
the blank accounts get excluded automatically (can't even remove it) while the copycat accounts are not. added Ecuamobi and the copycat Ecuamobi also appeared.

the auto-update is kind of weird because both admins are not online at since hours ago.
tspacepilot
Legendary
*
Offline Offline

Activity: 1456
Merit: 1081


I may write code in exchange for bitcoins.


View Profile
September 18, 2015, 12:51:58 AM
 #12

Confirmed same here when I checked this morning, but now I don't see the same behavior.  Was some fix implemented?  I also noticed that poster number 3 in this thread went from a username of the empty string to a username of "bad_char1".
EcuaMobi (OP)
Legendary
*
Offline Offline

Activity: 1876
Merit: 1475



View Profile
September 18, 2015, 12:57:24 AM
 #13

Confirmed same here when I checked this morning, but now I don't see the same behavior.  Was some fix implemented?  I also noticed that poster number 3 in this thread went from a username of the empty string to a username of "bad_char1".

I sent a PM to theymos and BadBear with a list of accounts with that character asking them to rename (or delete) those accounts. Maybe they did because of that or realized it by themselves. I also noticed those accounts were temporarily under theymos' trust list so I guess he was checking it. My fake account was also renamed to bad_char13. It seems to be working fine now.
tspacepilot
Legendary
*
Offline Offline

Activity: 1456
Merit: 1081


I may write code in exchange for bitcoins.


View Profile
September 18, 2015, 01:21:55 AM
 #14

Confirmed same here when I checked this morning, but now I don't see the same behavior.  Was some fix implemented?  I also noticed that poster number 3 in this thread went from a username of the empty string to a username of "bad_char1".

I sent a PM to theymos and BadBear with a list of accounts with that character asking them to rename (or delete) those accounts. Maybe they did because of that or realized it by themselves. I also noticed those accounts were temporarily under theymos' trust list so I guess he was checking it. My fake account was also renamed to bad_char13. It seems to be working fine now.

Got it.  That also explains why they were showing up by default for a moment there.  Thanks Ecua for filling me in (and thanks admins for fixing it).
theymos
Administrator
Legendary
*
Offline Offline

Activity: 5376
Merit: 13407


View Profile
September 18, 2015, 04:14:53 AM
 #15

Interesting bug. When using the utf8_unicode_* collation, MySQL treats invalid UTF-8 characters (like the X'C29D' string used here) as being equal to an empty string, even in the middle of other strings. Normally this isn't such a big deal, but in certain queries it's a major problem. In particular, this is really really bad if you're using the text as some sort of ID and the ID column is not constrained to be unique (as is the case with SMF's memberName column for some reason).

Those weird users were being added to your list because an SQL query was adding all users who matched memberName in ('') or in EcuaMobi's case memberName in ('Quickseller', ...), and this matched multiple unintended users due to that empty-string confusion. There are security implications here. AFAICT, some serious (but not critical) mischief could've been done by impersonating privileged users in certain cases. I bet there are a lot of sites out there that have more serious vulnerabilities due to this sort of thing. And I never even considered collation as a source of these issues -- it's not something I've given more than a passing glance at previously. This looks like a pretty serious flaw in SQL and/or MySQL which should be publicized more IMO. It's too difficult to reason about correctness here.

- I cleared those users from everyone's trust lists and renamed them. Some similar users probably still exist in the DB, but I don't see the need to search them out.
- I revised all of the database's collation rules to settings which should work as intended. This required locking tables for extended periods of time, which is what caused the other weirdness over the last few hours.
- I made it so you can't use names containing invalid UTF-8 strings or control characters.

1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
Pages: [1]
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!