Get Bounty 💵 with Account takeover (ATO) | vulnerability is still not patched yet HURRY!

Got Bounty with Account takeover (ATO ) Unicode-Case Mapping Collision !

image

Hey hunters ! Recently I discovered a Unicode-Case Mapping Collision vulnerability on a private program.

Unicode exceptionally complex. Few people know all the tricks: from invisible characters and control characters to surrogate pairs and combined emojis (when adding two characters you get a third).

As the vulnerability is still not patched yet so I’m denoting the website with “xyz.in” in this blog

image

I have just registered my own domain to exploit a security flaw in xyz.in forgot password process to gain access to an account that belongs to a privileged user.

THAT SHIT COST ME $20 :joy:

In this case, I used the Turkish character ‘ı’ (‘i’ without a dot), which is translated into Latin ‘i’, so that the postal address Test@xyz. ı n after processing turns into [email protected]

  • Successfully created a domain xyz. ın (Without the dot)
  • Created Free email from Google G-Suite trial pack and named it “Admin@xyz. ın”
  • Created an account on “xyz.in” with the malicious email address as “admin@xyz.ın”
  • Logged out from that account >> logged in “admin@xyz.ın” and clicked on Forget Password.
  • Intercepted the request>> And the input reflecting in UPPER CASE
  • The DB found replaced the malicious user with the correct one and triggered a password reset token on the malicious email address.
  • Successfully changed the password of the admin user, and got the bounty!!

Such collisions can be found on all Unicode planes: here is the complete list .

image

Happy Hunting! :moneybag:

Credits: @shaurya_sharma

10 Likes

The question is, How and where did he registered the domain with a Latin words ?

2 Likes