This bug was originally reported by me to the OpenSimulator team on 2012-03-08 as issue 5923 (private). The bug was silently fixed (without credit) in a commit not long after, however there has been no notification to grid owners about this bug or even a new minor release (it's like those post fixes branches exist for no reason). Therefore I have decided to publish this issue in its entirety to hopefully give the developers a nudge in the butt to actually start caring about security issues.
Following is the original issue submitted to the tracker, edited only slightly to remove some pointless stuff.
In the LoginAgent method of OpenSim.Services.HypergridService.GatekeeperService, there is a section of code responsible for adjusting the name of incoming Hypergrid visitors, which is supposed to transform "Test User" into "Test.User @grid.example.com", for example.
However, if the last name already begins with a @, it will skip this process entirely and allow any name in the agent circuit data, allowing the "Test User" above to spoof their name as "Test.User @secondlife.com". As you can imagine, this can be used for easy impersonation of another user.
This issue does not affect the "profile name" of a user displayed in some areas of Viewer 1.x viewers, and it won't be shown at all to users on Viewer 3 viewers.