Got Bounty with Account takeover (ATO ) Unicode-Case Mapping Collision !
Hey hunters ! Recently I discovered a Unicode-Case Mapping Collision vulnerability on a private program.
Unicode exceptionally complex. Few people know all the tricks: from invisible characters and control characters to surrogate pairs and combined emojis (when adding two characters you get a third).
As the vulnerability is still not patched yet so I’m denoting the website with “xyz.in” in this blog
I have just registered my own domain to exploit a security flaw in xyz.in forgot password process to gain access to an account that belongs to a privileged user.
THAT SHIT COST ME $20
In this case, I used the Turkish character ‘ı’ (‘i’ without a dot), which is translated into Latin ‘i’, so that the postal address Test@xyz.
ı n
after processing turns into [email protected]
- Successfully created a domain xyz. ın (Without the dot)
- Created Free email from Google G-Suite trial pack and named it “Admin@xyz. ın”
- Created an account on “xyz.in” with the malicious email address as “admin@xyz.ın”
- Logged out from that account >> logged in “admin@xyz.ın” and clicked on Forget Password.
- Intercepted the request>> And the input reflecting in UPPER CASE
- The DB found replaced the malicious user with the correct one and triggered a password reset token on the malicious email address.
- Successfully changed the password of the admin user, and got the bounty!!
Such collisions can be found on all Unicode planes: here is the complete list .
Happy Hunting!
Credits: @shaurya_sharma