You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When such an IDN is present on profile (for ex if your follower is having access to see your profile). ,it displays IDN in Unicode. It would be safer to represent the Punycode version of the URL so that it would be apparent to the users that something wierd is going on. i.e show http://xn--eby-7cd.com/ instead of http://ebаy.com/
steps:
ogin
go to all websites
click on add new website and new measurable website.
Note: Since hackerone already fixed this issue, you will bot say ebay site in this report, because it is filtering the unicode characters. you can follow up with the screenshot attached or you can ask me for more information.
Thanks!
Impact
A bad guy can exploit this vulnerability by putting up a spoof site behind one of these IDN links, posting the link anywhere on Pinterest (The talk section can be a nice place) and the user or the kraken moderator/admin opens and carelessly enters his credentials there.
The text was updated successfully, but these errors were encountered:
mattab
added
the
c: Security
For issues that make Matomo more secure. Please report issues through HackerOne and not in Github.
label
Jan 14, 2019
Hello Kraken, I have found another interesting bug in the API key's list.
Bug: Homograph attack.
Description: Please refer https://en.wikipedia.org/wiki/Internationalized_domain_name to know more about IDNs.
The IDN (Internationalized Domain Name) : http://ebаy.com/
is a homograph for the latin ebay.com . if you click that first link, you might think that you are going to ebay.com but in fact, you are going to a homograph url http://xn--eby-7cd.com/
When such an IDN is present on profile (for ex if your follower is having access to see your profile). ,it displays IDN in Unicode. It would be safer to represent the Punycode version of the URL so that it would be apparent to the users that something wierd is going on. i.e show http://xn--eby-7cd.com/ instead of http://ebаy.com/
steps:
ogin
go to all websites
click on add new website and new measurable website.
add : http://xn--eby-7cd.com/ in the URL's
as a hyperlink it is shown as : http://xn--eby-7cd.com/ but it will actually take you to http://xn--eby-7cd.com/
Thanks!
Note: Since hackerone already fixed this issue, you will bot say ebay site in this report, because it is filtering the unicode characters. you can follow up with the screenshot attached or you can ask me for more information.
Thanks!
Impact
A bad guy can exploit this vulnerability by putting up a spoof site behind one of these IDN links, posting the link anywhere on Pinterest (The talk section can be a nice place) and the user or the kraken moderator/admin opens and carelessly enters his credentials there.
The text was updated successfully, but these errors were encountered: