In Drupal, a user can impersonate someone else by using non-Latin characters in their username. For example, a user named "admin" can be impersonated by registering as "admin" with a Cyrillic small character "a".

Fixing this hole will make online communities safer. You'll learn to write Drupal modules, write unit tests, and safely handle Unicode text.

Deliverable

In order to prevent this type of attack, Drupal will need to trim and transliterate (convert to ASCII) each user name, and store this value in the database. Before allowing a new account to be created, the name will be checked to see if a similar user exists.

The deliverable will be a contributed module compatible with Drupal 7.x, including unit tests in the SimpleTest framework. The transliteration module should be used as a dependency.

Resources

Primary contact

grendzy

Drupal Issue

#85826: prevent homographic logins