Sunday, July 12, 19:36
Home security Hacking GitHub: Unicode is no joke

Hacking GitHub: Unicode is no joke

Its use Unicode to create emoji as well as other simple symbols, did not give him the credit he deserves. The importance of understanding Unicode extends beyond its local adaptations and diversity, and its lack of understanding can lead to vulnerabilities in your code.

hacking-github-with-unicode

A lesser known incident is The σcollisions mapping of Unicode. Μk such conflict occurs when two different characters are capital ή lowercase in the same, during conversion, character. This phenomenon we see it usually between two different protocols, such as names of e-mail and domain.

A quick code example:

'ß'.toLowerCase() // 'ss'

'ß'.toLowerCase() === 'SS'.toLowerCase() // true

// Note the Turkish dotless i

'John@Gıthub.com'.toUpperCase() === 'John@Github.com'.toUpperCase()

Conflicts during conversion

Although there are many cases of conflict at all levels Unicode, in the table below we only added cases of capital / pedestrian conversion conflicts in English.

Capital

CharCode PointOutput Char
ß0x00DFSS
ı0x0131I
ſ0x017FS
And0xFB00FF
f0xFB01FI
Oh 0xFB02FL
Oh 0xFB03FFI
Oh 0xFB04FFL
Oh 0xFB05ST
Oh 0xFB06ST

Peza

CharCode PointOutput Char
K.0x212Ak

Example of a true incident

Το feature of reset of his password GitHub could endanger MrAthos the system mturned to lowercase δaddresses e-mail And tbis compared with tbis eυθύnsin that was storeds in the database of users. If there was identification, tο GitHub έcloseln the password reset link to e-mail whereit had the intruder - who obviously not eoh την same address eemail.

Πbelow is a quote from his security team GitHub:

"Our team discovered a flaw in the way addresses e-mail Convέthey were hurt into a specifically character sets when used to search accounts in dprocedure password recoveryand access. Password reset tokensand access related to email addresses; and dprocedure a password reset with an address e-mail που τyou are crushing into a a another address will result in tM reset one token to be delivered to the address eemail other account. The attack only works if a provider e-mail allows tthe use Unicode in the "local" part of the email address and an attacker can claim an address e-mail containing Unicode which convert to a address e-mail other account (e.g. mike@example.org σsee fighereη to mike @ example.org). Unicode on the strand of domain is not allowed by the GitHub outbound mail server and therefore cannot be used as part of a wider shared attackά domain (e.g. gmail.com in relation to gmaΔ ± l.com).

The GitHub has addressed the vulnerability by ensuring that the database email matches the address e-mail that triggered her procedure reset code. This ensures that the email address used to create it token corresponds to the address eemail where the reinstatement badge is delivered. "

Source: https: //eng.getwisdom.io/hacking-github-with-unicode-dotless-i/

LEAVE ANSWER

Please enter your comment!
Please enter your name here

SecNews
SecNewshttps://www.secnews.gr
In a world without fences and walls, who needs Gates and Windows

LIVE NEWS

Financial institutions: The risk of data breach is higher!

According to a report, financial institutions tend to be at greater risk of data breach due to a lack of proper security controls ....

Google Chrome: Import, export and backup stored passwords

Google Chrome Password Manager lets you save usernames and passwords and ...

Apple: do not cover the camera on MacBook devices

Many users today have a habit of covering their laptop camera in order to protect themselves from any surveillance through it. However...

COVID-19-workplace: What can you do to avoid becoming a source of infection?

The number of COVID-19 cases worldwide seems to be increasing. However, most countries have ...

The best books of 2020, according to Amazon

If you like good books and are looking for new additions to your collection, choose from the 5 best books, according to ...

US Secret Service: Warns of increased attacks on MSPs

In June, the US Secret Service warned the private sector as well as government agencies that there has been a worrying increase ...

Create an imaginative meme and win a OnePlus Nord

One of the most anticipated financial smartphones of OnePlus, the OnePlus Nord, is going to be presented soon at an event that will take place ...

Sony: Invest $ 250 Million in Fortnite Epic Games!

Sony has made an investment of $ 250 million to acquire a 1,4% stake in Epic Games, ...

C-Data FTTH OLT devices contain backdoors

Serious vulnerabilities and backdoors were discovered by two security researchers in the firmware of 29 FTTH OLT devices, the popular equipment provider C-Data.

Grandoreiro malware: What is it and how does it work?

One of the new types of malware that has caught the attention of researchers is the Grandoreiro malware. Below we will refer in detail to ...