3 comments

[ 3.5 ms ] story [ 19.5 ms ] thread
This the same as the unicode email collision that was found in GitHub the other day:

https://news.ycombinator.com/item?id=21809390

https://eng.getwisdom.io/hacking-github-with-unicode-dotless...

It makes you wander how wide spread this vulnerability could be with two independent implementations found so far. I’m guessing this was found when someone audited the Django email comparison code after reading about the GutHub one.

Everyone who maintains a password reset form should be auditing for the same issue ASAP.

Yep, and goes to show that the intricacies of character encoding need to be more well-understood by developers, instead of the incredibly small subset of Unicode Wizards leading the way and everyone else (me included) barely keeping up.

Naturally, the top-rated comment in the thread you linked makes a much better point than I ever could!