Account Takeover using Unicode – A skilled bug bounty hunter successfully identified a Unicode-Case Mapping Collision vulnerability within a private program. The impacted platform, discreetly referred to as “xyz.in,” has yet to patch this potentially serious security flaw.
The hunter strategically utilized a Turkish character, ‘ı’ (an ‘i’ without a dot), transforming it into the Latin ‘i.’ This clever manipulation allowed the creation of a seemingly legitimate domain, “xyz.ın,” with the potential to mislead.
By registering a free email account through Google G-Suite trial under the alias “Admin@xyz.ın,” the hunter navigated the system, registering an account on “xyz.in” with the deceptive email address “admin@xyz.ın.”
Taking advantage of this Account Takeover using Unicode flaw in the forget password process, the hunter intercepted and manipulated the password reset request. The vulnerability triggered a database replacement of the malicious input, paving the way for a successful account takeover.
As a result, the admin user’s password was changed, underscoring the severity of the Unicode-Case Mapping Collision. Despite the exploit’s success, the website is yet to address the security loophole. Stay tuned for updates on this unfolding story.
Link to read full write up: here
Save the PDF here