New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Homograph attack #13920

Open
orthon opened this Issue Dec 29, 2018 · 0 comments

Comments

Projects
None yet
2 participants
@orthon
Copy link

orthon commented Dec 29, 2018

Hello Kraken, I have found another interesting bug in the API key's list.

Bug: Homograph attack.

Description: Please refer https://en.wikipedia.org/wiki/Internationalized_domain_name to know more about IDNs.
The IDN (Internationalized Domain Name) : http://ebаy.com/
is a homograph for the latin ebay.com . if you click that first link, you might think that you are going to ebay.com but in fact, you are going to a homograph url http://xn--eby-7cd.com/

When such an IDN is present on profile (for ex if your follower is having access to see your profile). ,it displays IDN in Unicode. It would be safer to represent the Punycode version of the URL so that it would be apparent to the users that something wierd is going on. i.e show http://xn--eby-7cd.com/ instead of http://ebаy.com/

steps:

  1. ogin

  2. go to all websites

  3. click on add new website and new measurable website.

  4. add : http://xn--eby-7cd.com/ in the URL's

  5. as a hyperlink it is shown as : http://xn--eby-7cd.com/ but it will actually take you to http://xn--eby-7cd.com/

Thanks!

Note: Since hackerone already fixed this issue, you will bot say ebay site in this report, because it is filtering the unicode characters. you can follow up with the screenshot attached or you can ask me for more information.

Thanks!

Impact
A bad guy can exploit this vulnerability by putting up a spoof site behind one of these IDN links, posting the link anywhere on Pinterest (The talk section can be a nice place) and the user or the kraken moderator/admin opens and carelessly enters his credentials there.

@mattab mattab added the c: Security label Jan 14, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment