asd
HomeTakeoverAccount TakeoverBughunter utilized Unicode Character to exploit Account Takeover

Bughunter utilized Unicode Character to exploit Account Takeover

Account Takeover using Unicode – A skilled bug bounty hunter successfully identified a Unicode-Case Mapping Collision vulnerability within a private program. The impacted platform, discreetly referred to as “xyz.in,” has yet to patch this potentially serious security flaw.

The hunter strategically utilized a Turkish character, ‘ı’ (an ‘i’ without a dot), transforming it into the Latin ‘i.’ This clever manipulation allowed the creation of a seemingly legitimate domain, “xyz.ın,” with the potential to mislead.

By registering a free email account through Google G-Suite trial under the alias “Admin@xyz.ın,” the hunter navigated the system, registering an account on “xyz.in” with the deceptive email address “admin@xyz.ın.”

Taking advantage of this Account Takeover using Unicode flaw in the forget password process, the hunter intercepted and manipulated the password reset request. The vulnerability triggered a database replacement of the malicious input, paving the way for a successful account takeover.

As a result, the admin user’s password was changed, underscoring the severity of the Unicode-Case Mapping Collision. Despite the exploit’s success, the website is yet to address the security loophole. Stay tuned for updates on this unfolding story.

Link to read full write up: here

Save the PDF here

Christin
Christinhttps://secry.me/explore
A cybersecurity practitioner with more than 5 years of experience in the cybersecurity world. Has an interest in creating simple blog websites, learning about SEO and graphic design, writing, AI, and understanding the concepts of journalism. Intentionally created this website to make the world of cybersecurity more engaging by combining it with journalistic principles and presenting cybersecurity stories that are easy to understand, which can help anyone who wants to develop in the cybersecurity world.

RELATED ARTICLES

LEAVE A REPLY

Please enter your comment!
Please enter your name here

nineteen − 12 =

Most Popular

GOOGLE ADVERTISEMENT

- Advertisement -