Currently, there is a MAJOR leak in the anti spoof system. In order to create an account name similar to that of an existing user (even if the user already has an SUL, which they probably mostly do), all you need to do is find a Wiki project where the user doesn't have an account yet (probably easy to guess, or else it can be checked), create a similar account name (this is an SUL), and then log in where the active user is active - and you have spoofed him successfully.
Version: unspecified
Severity: enhancement