@orthon opened this Issue on December 29th 2018

Hello Kraken, I have found another interesting bug in the API key's list.

Bug: Homograph attack.

Description: Please refer https://en.wikipedia.org/wiki/Internationalized_domain_name to know more about IDNs.
The IDN (Internationalized Domain Name) : http://ebаy.com/
is a homograph for the latin ebay.com . if you click that first link, you might think that you are going to ebay.com but in fact, you are going to a homograph url http://xn--eby-7cd.com/

When such an IDN is present on profile (for ex if your follower is having access to see your profile). ,it displays IDN in Unicode. It would be safer to represent the Punycode version of the URL so that it would be apparent to the users that something wierd is going on. i.e show http://xn--eby-7cd.com/ instead of http://ebаy.com/

steps:

  1. ogin

  2. go to all websites

  3. click on add new website and new measurable website.

  4. add : http://xn--eby-7cd.com/ in the URL's

  5. as a hyperlink it is shown as : http://xn--eby-7cd.com/ but it will actually take you to http://xn--eby-7cd.com/

Thanks!

Note: Since hackerone already fixed this issue, you will bot say ebay site in this report, because it is filtering the unicode characters. you can follow up with the screenshot attached or you can ask me for more information.

Thanks!

Impact
A bad guy can exploit this vulnerability by putting up a spoof site behind one of these IDN links, posting the link anywhere on Pinterest (The talk section can be a nice place) and the user or the kraken moderator/admin opens and carelessly enters his credentials there.

Powered by GitHub Issue Mirror