A critical, zero-click vulnerability that allows attackers to hijack online accounts by exploiting how web applications handle international email addresses.
The flaw, rooted in a technical discrepancy known as a “canonicalization mismatch,” affects password reset and “magic link” login systems, which are foundational to modern web security.
According to NullSecurityX, the attack requires no interaction from the victim, making it exceptionally dangerous. An attacker can gain full control of an account simply by requesting a password reset using a specially crafted email address that appears identical to the victim’s.
This method bypasses the need for phishing or tricking the user into clicking a malicious link.
The vulnerability stems from the interplay between Unicode, which allows for characters from various languages in domain names (Internationalized Domain Names or IDN), and Punycode, the system that converts these characters into the standard ASCII format used by internet infrastructure.
0-Click Vulnerability Using Punycode
Attackers can register a domain using Unicode characters that are visually indistinguishable from standard letters, such as a Cyrillic ‘o’ instead of a Latin ‘o’.
According to a technical analysis of the vulnerability, the attack unfolds when a web application’s backend processes a password reset request.
For example, an attacker might request a password reset for “[email protected]” but submit the address using a “full-width” ‘m’ (gmail.com).
The application’s front-end or validation logic may fail to distinguish between the legitimate address and the visually confusable one, approving the request.
However, when the email system sends the reset link, it correctly routes it to the attacker-controlled Punycode version of the domain (e.g., xn--...). The attacker then receives the privileged link and takes over the account, while the legitimate user remains completely unaware.
This “0-click” nature is what makes the threat so severe. The compromise is not a result of user error but a fundamental flaw in how different layers of an application, from the user interface and validation rules to the database and mail servers, handle email addresses.
Each component may interpret the Unicode and Punycode versions differently, creating a gap that attackers can exploit, NullSecurityX said.
“The result is that two addresses that look the same to humans can be handled as different strings by the mail transport,” the research paper states.
Since email often serves as the ultimate “trust anchor” for recovering access to countless other online services, a compromise can have a cascading effect.
Experts are urging developers to immediately review and fortify their authentication systems. Mitigation requires implementing consistent normalization of email addresses across all system components, using robust validation libraries that understand Unicode confusables, and ensuring that database lookups are not susceptible to these visual tricks.
This silent but potent threat highlights the need for a deeper, code-level understanding of how seemingly simple data like an email address is processed and trusted.
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
Source link
