search

sherlock-project / sherlock

Hunt down social media accounts by username across social networks
https://sherlockproject.xyz
MIT License
60.62k stars 6.97k forks source link

Long Fake Username has Many False Positives #2313

Open joeyagreco opened 1 month ago

joeyagreco commented 1 month ago

Installation method

Homebrew

Description

> sherlock foobarbazquxsherlockfakeusernamethisisfakelol
[*] Checking username foobarbazquxsherlockfakeusernamethisisfakelol on:

[+] Amino: https://aminoapps.com/u/foobarbazquxsherlockfakeusernamethisisfakelol
[+] Bikemap: https://www.bikemap.net/en/u/foobarbazquxsherlockfakeusernamethisisfakelol/routes/created/
[+] Discord: https://discord.com
[+] HackTheBox: https://forum.hackthebox.eu/profile/foobarbazquxsherlockfakeusernamethisisfakelol
[+] HudsonRock: https://cavalier.hudsonrock.com/api/json/v2/osint-tools/search-by-username?username=foobarbazquxsherlockfakeusernamethisisfakelol
[+] Kick: https://kick.com/foobarbazquxsherlockfakeusernamethisisfakelol
[+] LibraryThing: https://www.librarything.com/profile/foobarbazquxsherlockfakeusernamethisisfakelol
[+] ProductHunt: https://www.producthunt.com/@foobarbazquxsherlockfakeusernamethisisfakelol
[+] Strava: https://www.strava.com/athletes/foobarbazquxsherlockfakeusernamethisisfakelol

[*] Search completed with 9 results

This shouldn't return anything.

This username is fake.

Steps to reproduce

  1. Install sherlock
  2. Run with some fake username

Additional information

No response

Code of Conduct

alokranjan609 commented 1 month ago

I encountered the same bug when entering an invalid name. The links saved in the .txt file are all pointing to non-existent pages, resulting in a 404 status code.

visheshdvivedi commented 1 month ago

I would like to look into this bug. Please assign it to me.

joeyagreco commented 1 month ago

These will likely each need their own investigation.

Sites that no longer have a valid detection method without logging in would be explained here and those that do would need some tweaks to the URL

alokranjan609 commented 1 month ago

@joeyagreco Is the list of sites giving false positive for long fake username are same or each time they return some different value.

joeyagreco commented 1 month ago

@alokranjan609 For me it's always the same list of sites returning false positives. The list that is mentioned in the original post.

visheshdvivedi commented 1 month ago

These will likely each need their own investigation.

Sites that no longer have a valid detection method without logging in would be explained here and those that do would need some tweaks to the URL

We can then plan for investigation for each of the URL you mentioned in the issue. Maybe opening separate issues for them would be a good idea