Spoofing someone in Slack is terrifyingly easy
Slack allows you to edit your "Display Name" on your profile. That's what everybody else sees. There's no enforcement of uniqueness.
In other words, if the big boss is "John Smith", you can set your "display name" to "John Smith" and you can also set your picture to John Smith's picture and then poof! you're basically John Smith in Slack so far as everybody else is concerned.
5 comments
[ 3.2 ms ] story [ 23.4 ms ] threadThere's no way to "hack" it and spoof someone else. If you want to change your display name, you change it officially at the company source (which is straightforward and quick, so "Joseph" can easily be "Joe" or whatever).
Is it trivial for the new user? Probably not. That is why organizations have training courses, where they tell the employees: Pay attention to the important parts (aka the handle, not the name)
Consider “internationalized domain names”, which are implemented via Punycode. The following URL does not go to Gmail: mail.goοgle.com
Note that this URL isn’t resolvable as of when I submitted this comment. Assuming no one has bought the domain and hosted something malicious there since then, you should be able to paste it into your browser to see what I’m talking about.
Depending on your font settings, that probably looks indistinguishable from the correct URL. Here it is again, followed by the correct URL:
mail.goοgle.com
mail.google.com
I created the above by substituting the first “o” with a lower-case Greek omicron (ο, Unicode U+03BF). The URL bar in your browser may or may not show the ASCII version - mail.xn--gogle-sce.com - once you navigate to it.
I suppose my point here is that if the domain name system in use by the entire Internet doesn’t consider this to be a bug that must be squashed, then I wouldn’t consider Slack’s lack of a uniqueness constraint for display names to be an issue :)
ETA: HN converts non-ASCII characters in URLs to Punycode upon submission. I had to omit the protocol portion of the URL to get it to display as entered. Good job, @dang :)