Open AzureWoof opened 3 years ago
Yetoo1
commented
3 years ago Invisible unicode characters other than space (\u0020) such as \u2063 would need to be included in list of characters to collapse unless there are a mass of space/separated characters that are already invalid when trying to set a steam name via api.
Yetoo1
commented
3 years ago Alternatively, invisible characters could be highlighted or marked so it's easier to kick.
shaiko2k
commented
2 years ago As of 1/16/22, malicious bots have been using the U+202C (Pop Directional Formatting) unicode character as a means to impersonate users.
Typically, when two players have the exact same name on a server, the game will place a "(1)" in the name of the most recent player who joined with that name. This number will increase as more players with the same name join the server. This was intended to stop players from impersonating one another, and has been in place for a very long time.
Unfortunately, it's extremely easy to bypass the check that's supposed to ensure that you're not impersonating someone else. Using whitespace characters at either the beginning or end of a name will cause the check that's responsible for this to think your name is unique, allowing you to successfully impersonate other players. While the name is technically unique, the characters being used are invisible to the naked eye. This makes it very difficult for players to kick the correct person, especially if the impersonator also steals the real player's avatar.
Malicious bots in Casual servers have been abusing this for a very long time.
A proposed fix would be to purge out any spaces (or any problematic / invisible characters) in the name check. The check would still work as intended, but any invisible characters wouldn't count towards the "uniqueness" of a name, and the "(1)" would be successfully added to the impersonator's name, allowing players to safely kick the correct person. This would fix a lot of scenarios where players would mistakenly kick the wrong person.
Below is a visual example of how doing this would help fix this problem.
(1.) Normal check, successful prefix addition:
Joining client's name: "Laser Bread" "Laser Bread" = "Laser Bread" "Laser Bread" ≠ "Sometimes, I dream about cheese" Name not unique. First duplicate. Joining as "(1)Laser Bread"
Explanation: If the client joining has the same exact name as one on the server, the game successfully adds the numbered prefix.
(2.) Normal check, unsuccessful prefix addition:
Joining client's name: "Player " "Player " ≠ "Player" Unique name.
Explanation: Even though the name is the same, the whitespace character fools the check, resulting in the prefix not being added.
(3.) Proposed altered check that omits spaces, successful prefix addition in otherwise unsuccessful scenario:
Joining client's name: " Laser Bread " Name during checking: "LaserBread" "LaserBread" = "LaserBread" "LaserBread" ≠ "Sometimes,Idreamaboutcheese" "LaserBread" = "LaserBread" (First Duplicate) Name not unique. Second duplicate. Joining as "(2) Laser Bread "
Explanation: Purging spaces maintains the integrity of the check, while also improving the accuracy and reliability of it.