HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.
The Plugin "Spoof"
How can a user find if the plugin "spoof" is active on a community using open.Vanilla?
I have user accounts in several vanilla community forums. I came accross this plugin, when installed latest version on my web site. There is no way an admin, or anyone should be allowed to login as a different user for any amount of time. They can create a user account for debugging permissions.
The Vanilla Communities reputation is now questionable.
I can think of about a dozen valid criticisms of Vanilla off the top of my head, several of them security-related. As someone moving away from Vanilla, I have no horses left in this race. But for real: If you're gonna claim there's a problem here, at least do absolutely minimal work of explaining what the problem actually is and why it's different from other owner abilities (like direct database access, or the ability to reset passwords or change email addresses of users). Like... at least think it through before speaking and putting the onus on someone else to explain all the ways you simply haven't.
Even the framing of their "reputation is now questionable" implies this is some new feature and not something that literally shipped alongside the very first release 13 years ago. It's not on by default, so the owner (who has access to do literally anything they want to misrepresent data in any way you can imagine) has chosen to allow select folks to spoof. Would I do that on my community? No. But it's a valid feature if someone has that use case and it's not an inherent security threat for existing.