GitHub inotarirwa nekurwiswa kunobvumidza iwe kutora mukana kuaccount kuburikidza nekunyengera kweiyo Unicode mavara muemail. Dambudziko nderekuti mamwe mavara eUnicode, kana achishandisa mavara madiki kana epamusoro ekushandura, anoturikirwa kuita mavara akajairika akafanana nechimiro (apo akati wandei mavara akaturikirwa kuita hunhu humwe - semuenzaniso, hunhu hweTurkey "Δ±" uye "i" " painoshandurwa kuita upper case inoshandurwa kuita "Ini").
Usati watarisa maparamendi ekupinda mune mamwe masevhisi uye maapplication, data-inopihwa nemushandisi inotanga kushandurwa kuita yepamusoro kana yakaderera kesi uye yozotariswa mudhatabhesi. Kana sevhisi ichibvumidza kushandiswa kwemavara eunicode mulogin kana email, saka anorwisa anogona kushandisa akafanana unicode mavara kuita kurwisa kunonyengedza kudhumhana muUnicode Case Mapping Collisions.
'Γ'.toUpperCase() == 'ss'.toUpperCase() // 0x0131
'K'.toLowerCase() == 'K'.toLowerCase() // 0x212A
'John@GΔ±thub.com'.toUpperCase() == '[email inodzivirirwa]'.kuUpperCase()
Attacker paGitHub kuburikidza nefomu rekudzoreredza password yakanganwa, tanga kutumira kodhi yekudzoreredza kune imwe email nekuratidza muchimiro kero inosanganisira unicode hunhu hunokonzera kudhumhana (semuenzaniso, panzvimbo [email inodzivirirwa] email m yakaratidzwaΔ±[email inodzivirirwa]) Kero yapasa bvunzo nekuti yakashandurwa kuita mavara makuru uye inoenderana nekero yekutanga ([email inodzivirirwa] ), asi pakutumira tsamba yakatsiviwa sezvairi uye kodhi yekudzorera yakatumirwa kukero yenhema (m.Δ±[email inodzivirirwa]).
Zvimwe zve , zvichikonzera kudhumhana pakushandura rejista:
Γ 0x00DF SS
0x0131 i
0x017F S
ο¬ 0xFB00 FF
0xFB01 FI
0xFB02 FL
ο¬ 0xFB03 FFI
ο¬ 0xFB04 FFL
ο¬
0xFB05 ST
ο¬ 0xFB06 ST
K 0x212A k
Source: opennet.ru