GitHub is subject to an attack that allows you to seize access to an account through the manipulation of Unicode characters in email. The problem is related to the fact that some Unicode characters, when applied to lowercase or uppercase conversion functions, are translated into ordinary characters that are close in shape (when several different characters are translated into one character - for example, the Turkish character "Δ±" and "i" when cast to uppercase are converted to "I").
Before checking the login parameters in some services and applications, the data transmitted by the user is first converted to upper or lower case, and then checked in the database. If the service allows the use of unicode characters in the login or email, then an attacker can use similar unicode characters to perform an attack that manipulates collisions in the Unicode Case Mapping Collisions tables.
'Γ'.toUpperCase() == 'ss'.toUpperCase() // 0x0131
'K'.toLowerCase() == 'K'.toLowerCase() // 0x212A
'John@GΔ±thub.com'.toUpperCase() == '[email protected]'.toUpperCase()
GitHub attacker through the form for recovering a forgotten password, initiate sending a recovery code to another email by specifying in the form of an address that includes a unicode character that causes a collision (for example, instead of [email protected] specified email mΔ±[email protected]). The address passed the test because it was converted to upper case and matched the original address ([email protected] ), but when sending the letter, it was substituted as is and the recovery code went to a fake address (mΔ±[email protected]).
Some of , causing collisions during case conversion:
Γ0x00DFSS
I 0x0131 I
ΕΏ 0x017F S
ο¬0xFB00FF
ο¬ 0xFB01 FI
0xFB02 FL
ο¬ 0xFB03 FFI
ο¬ 0xFB04 FFL
ο¬
0xFB05 ST
ο¬ 0xFB06 ST
K 0x212A k
Source: opennet.ru