[Security] Disallow invisible characters in name
Reimajo
Although we've seen VRChat solving the issue of completely invisible player names, the underlying issue has not been solved.
We can still see malicious players every day who use control- or whitespace characters (apart from u0020) which makes it impossible to find those users on the website to report them.
To make it even harder, VRChat doesn't display the characters correctly, instead replaces them with _ or ° or whatever other characters that would be normal to use otherwise. This needs to stop, they're making it way too easy for players to be unreportable or to impersonate someone else.
If VRChat can't or doesn't want to display a character, it should be impossible to have that character in the name to begin with. If VRChat doesn't want to solve the issue of impersonating someone or avoiding a ban by obfuscating the name with weird symbols, they should at the very least follow "best practice" efforts and remove all control characters, whitespace characters (apart from u0020), and line feed characters from player names. This should also affect existing player names. If there is a resulting conflict between "Alex" and "Alex°°", VRChat would need to change "Alex°°" to "Alex 235" and ask "Alex 235" to change their username if wanted.
Here is a small "minimum list" of characters that should be removed:
\u00A0 \u1680 \u2000 \u2001 \u2002 \u2003 \u2004 \u2005 \u2006 \u2007 \u2008 \u2009 \u200A \u202F \u205F \u3000 \u2028 \u2029 \u0009 \u000A \u000B \u000C \u000D \u0085 \uFEFF \u180E \u200B
The initial canny (https://feedback.vrchat.com/feature-requests/p/security-create-a-character-whitelist-to-prevent-hiding-usernames-through-unicod) was marked as solved despite that there is still no whitelist in place which removes those characters. This is also bad because users expect that their name displays like it does on the website when they change it, only to find out it is displayed different in game. This is a solution that only makes it worse imho. And without a whitelist and readable user ID in the menu, we're stuck with trying to report a player named "[̲̅][̲̅][̲̅][̲̅", something that is impossible for the average user.
Log In
✩Frisk✩
I sure like to get my Stars back -.- seeing that im the first one on the Social Search List no matter how you look at it -.-
It sure is a " Neck Breaker " having to re-upload all your contents over a name change that i never asked for....
... in which i've decided that i'll continue with these " °Frisk° " circles in the name....
Caffeinated_weeb
You can click people in-game (if not physically, then from the menu), and if you need to do that outside of the game, you have the output log. Even if they banned invisible characters, chances are you'd be unable to find a person called "пример" on the website unless you had a screenshot of his nameplate or something.
There's about 1114111 different possible unicode values, and the problematic ones are spead around almost randomly. A blacklist is not really feasible, at least not against people who know what they're doing. We'd need a whitelist - but I feel like that would be a shame, and you'd have a lot of foreign users would need their characters added.
Lastly, it would still be possible to use homograph attacks, for instance by replacing the latin character 'a' with the Cyrillic letter 'а'.
Removing just invisible character might be possible depending on the font, but there exists at least 12 different whitespace characters alone.
xxx_red_xxx
Thanks for posting all the characters for us to use, 200iq idea.
Reimajo
xxx_red_xxx: No need to insult me, everyone with access to google can easily get this list in a split second.
Sasha Mason
People already use it enough for it to be a problem, though. Not like this is some huge secret that only a few know about
Tupper - VRChat Head of Community
Is it still possible to switch to display names with characters that are invisible?
Some accounts will have display names that are invisible, but we've prevented them from being usable for new accounts or changing names. We haven't retroactively applied the filter.
RedSpeeds
Tupper - VRChat Head of Community: Bit off topic but could we also disallow characters that are untypeable i see many weird names with characters that are impossible to find on a keyboard could we please restrict names to alphanumeric
Reimajo
Tupper - VRChat Head of Community: Hello Tupper, this canny is generally about users who make it impossible for us to report or block them after they crashed us because VRChat allows them to obfuscate their name one way or another, including allowing impersonation. Applying a fix only to future names, but not all current names, isn't solving the issue. It's the reason I see it still happening a lot today and also the reason why I can't properly respond to your question here.
At the bare minimum, applying a filter to all existing usernames would be needed. Why is this a problem? VRChat doesn't display those characters correctly in game anyway, so users gain nothing from keeping their invisible characters, despite evading bans. If an invisible whitespace character is already displayed as ° in game today, it could also just be replaced by that character with no change for the user.
Aligning how the name looks in game with how it looks on the website should be no discussion point either, that's what everyone would expect, although it is currently not the case. Which leads to a whole other issue I want to address as well: All usernames are displayed in all uppercase in the browser, which doesn't allign with how they appear in game. This is also making nobody happy, since some names are supposed to have CamelCase characters for example. Worst of all, if you copy a name in Chrome, it is copied in all uppercase, while copying the name in Firefox gives you the correct version. It's a mess. Please take away the following pain points from this canny:
- Display names should appear 1:1 in game and in (any) browser
- An all-uppercase font is a terrible idea
- A filter should be applied to existing names as well
- There are still very easy way to become un-reportable by using weird unicode characters, why not switching to an established system like any other social media site?
- At the very least, the menu should expose a unique, human-readable user-ID. I can already get this ID from the website for every user, so I see no reason to not show that ID in game.
Tupper - VRChat Head of Community
Reimajo: Exposing the uID makes the most sense here IMO. We've discussed letting you click an "off-to-the-side" UI element that puts it in your clipboard. No ETA, but know this is an issue.
Until then, your output log should show full display names. Temporal built a very nice output log parser that can help you figure out who joined when, and get names to hand off to moderation.
Reimajo
Tupper - VRChat Head of Community: Hello Tupper, thank you for the reply. This would be indeed a preferred solution to address the reporting issue.
As for all the other issues related to display names, it's unfortunately not. If VRChat has a rule about names, but this rule does not apply to all users, that rule is practically non-existent. This only screws with creators. We've seen this already when it comes to name character lenght limits which also does not apply to legacy names, and we (speaking for the other people who agree with me on the U# discord on that) just feel like VRChat doesn't care about our issues. We made a canny about people with invisible names, to get rid of them, and we still have that issue today, despite the canny being marked as solved. Our code still breaks when someone with an old account name joins, from a time where other rules about the name were in place, not aligning with todays rules. Why not solving such issues properly instead, for all users? Why would VRChat even want to have different rules for different users on their plattform?
Tupper - VRChat Head of Community
Reimajo: Mostly because we didn't want to force people to change their names unexpectedly.
xxx_red_xxx
RedSpeeds: no because what about other languages like Chinese, Japanese, Korean, Russian, etc which use different alphabets?
sheru
Tupper - VRChat Head of Community Sorry for the necro, but that log parser tool is no longer working these days.
Sasha Mason
As a pro tip to use in the meantime, VRCX (third party API tool) logs every user that is in the instance and makes it very easy to find the user ID / website URL to that user in there, provided you know who it is you are looking for.