Got *Bounty* with Account takeover (ATO ) Unicode-Case Mapping Collision !

Shaurya Sharma
Mar 5, 2020 · 2 min read
Image for post
Image for post

Hey hunters ! Recently I discovered a Unicode-Case Mapping Collision vulnerability on a private program.

Unicode exceptionally complex. Few people know all the tricks: from invisible characters and control characters to surrogate pairs and combined emojis (when adding two characters you get a third).

As the vulnerability is still not patched yet so I’m denoting the website with “xyz.in” in this blog

Image for post
Image for post

I have just registered my own domain to exploit a security flaw in xyz.in forgot password process to gain access to an account that belongs to a privileged user.

THAT SHIT COST ME $20 😂

In this case, I used the Turkish character ‘ı’ (‘i’ without a dot), which is translated into Latin ‘i’, so that the postal address Test@xyz. ın after processing turns into Test@xyz.in

  • Successfully created a domain xyz. ın (Without the dot)
  • Created Free email from Google G-Suite trial pack and named it “Admin@xyz. ın”
  • Created an account on “xyz.in” with the malicious email address as “admin@xyz.ın”
  • Logged out from that account >> logged in “admin@xyz.ın” and clicked on Forget Password.
  • Intercepted the request>> And the input reflecting in UPPER CASE
  • The DB found replaced the malicious user with the correct one and triggered a password reset token on the malicious email address.
  • Successfully changed the password of the admin user, and got the bounty!!

Such collisions can be found on all Unicode planes: here is the complete list .

Image for post
Image for post

#HappyHunting #BugBounty #2020 #CyberVerse

Cyber Verse

You are under survillence.

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store