- Status Closed
-
Assigned To
cbay - Private
Opened by waloodi_109 - 08.04.2026
Last edited by cbay - 08.04.2026
FS#315 - -Click Account Takeover Using Punycode IDN Attacks
Description:
An Internationalized Domain Name (IDN) homograph attack is a cybersecurity deception technique where an attacker uses characters from different scripts (e.g., Cyrillic, Greek, Latin) that look visually identical or similar to create fraudulent domains. For example, replacing a Latin 'a' with a Cyrillic 'а' can create a spoofed domain that appears legitimate to users, enabling phishing or malware distribution.
Steps to Reproduce:
1. Go to https://www.alwaysdata.com/en/register/.
2. Put admin@example.com and then password to create the account.
3. Then, go to again https://www.alwaysdata.com/en/register/.
4. Input admin@example.com and then password to create the account.
5. You can see that account already exsits.
Impact:
Attacker can setup a dns to reset and takeover victim account.
Access personal data of user.
No user interaction required to takover the account.
#Note:
I tested in Bugcrowd and hackerone platform, they doesn't have it.
Thank You,
Waleed Anwar
Loading...
Available keyboard shortcuts
- Alt + ⇧ Shift + l Login Dialog / Logout
- Alt + ⇧ Shift + a Add new task
- Alt + ⇧ Shift + m My searches
- Alt + ⇧ Shift + t focus taskid search
Tasklist
- o open selected task
- j move cursor down
- k move cursor up
Task Details
- n Next task
- p Previous task
- Alt + ⇧ Shift + e ↵ Enter Edit this task
- Alt + ⇧ Shift + w watch task
- Alt + ⇧ Shift + y Close Task
Task Editing
- Alt + ⇧ Shift + s save task
Hello,
I'm not sure I understand. Can you send a video where you would takeover an account?
Kind regards,
Cyril
I am not takeovering the account, I am just telling that these email are not same "admin@example.com" & "admin@example.com", but in admin.alwaysdata.com referring these are same. So attacker can easily set a dns to takeover the account.
I don't think that's true. I've just tried it and could successfully create both admin@example.com and admin@example.com.
I am sending the video sir
Please have a look sir
From what I've tested, Chrome does NOT send what you've actually typed but the "canonical" email address.
Try to reproduce with curl.
its 302 found i got it thnks for clarification