Nytro Posted October 15, 2014 Report Posted October 15, 2014 Gmail’s SMTPUTF8 prone to homographic attacks (thanks, 4chan!) October 14, 2014 No comments Article I always loved working with Google. I have been participating in their program since 2012. Over the years, I addressed some nice vulnerabilities that got me a couple of hall of fame entries and of course some nice monetary awards. But this last time, I drew a blank. I spent some time researching Unicode last month. Browsing through a lot of interesting characters, two of them struck my eye: the soft hyphen and the zero with space. There characters are basically – nothing[1], except they are there. Doing a bit of research, I quickly found that these characters were used to “blank post” on the popular image board “4chan”. Interesting. Naturally, it is not allowed to submit “empty” comments to the board – but using this single character, it was possible to bypass this restriction. Well, such a post is technically not empty. It just seems like it is. I started wondering whether this could lead to some security implications in popular websites. Except for some low-priority design bugs I did not find anything. [1] The soft hyphen does have a functionality: it indicates where to break a word. Months passed by. I had forgotten about the special Unicode character and moved on, looking for new and unique bugs. Until I post on the Google Blog: Gmail would now support e-mail addresses with Unicode characters. The extraordinary characters from earlier popped up in my head and I had this crazy idea: inti@deceukelai.revs in*ti@deceukelai.re Can you spot the difference? I can’t. But believe me – they are different. The 2nd one has a soft hyphen between “in” and “ti”. So technically, this gives us an e-mail that appears to be the same, but isn’t. So what’s the big deal? Monday morning at work. You receive the following mail from your colleague, who happens to be me. You recognize my e-mail address and send me the document. Or did you? You actually replied to in*ti@dece*ukelai.re instead of inti@deceukelai.re, without ever noticing you have been tricked in. Sounds like a problem to me. After reporting this bug, it got miraculously fixed, even though my initial test show that the vulnerability did exist. I noticed, however, that it was still possible to use a homograph attack mixing look-a-like characters of different character sets (e.g. latin and greek). Result: Even though these e-mail addresses may look the same, they are not: the first letter (blank one) of the e-mail address is a look-a-like character of some other script.So let’s say you send a mail to You think you are sending your message to me, but you are not, as the “e” of “de” is a letter from another alphabet. Say the server, in this case Gmail’s supports the creation of SMTPUTF8 e-mail addresses (they will, shortly), then this e-mail could be delivered to a different user without anyone even noticing. I reported this additional information to Google and they replied that they are working on it, but also that my report does not qualify for a reward. I am publishing this to show the dangers of the new RFC6530 e-mail standardization. While I do believe globalisation is a good thing, we should watch our steps toward it carefully. Nobody wants to get lost in translation. I was a bit “feeling unlucky” to see my work did not get rewarded. But that’s life, I guess. Luckily, I found some vulnerabilities at Facebook that did get a generous reward. I will do a write-up on those soon. Stay tuned!Sursa: Gmail’s SMTPUTF8 prone to homographic attacks (thanks, 4chan!) | Securinti Quote
