Security vulnerabilities

  • Status Closed
  • Assigned To
    cbay
  • Private
Attached to Project: Security vulnerabilities
Opened by waloodi_109 - 08.04.2026
Last edited by cbay - 08.04.2026

FS#315 - -Click Account Takeover Using Punycode IDN Attacks

Description:
An Internationalized Domain Name (IDN) homograph attack is a cybersecurity deception technique where an attacker uses characters from different scripts (e.g., Cyrillic, Greek, Latin) that look visually identical or similar to create fraudulent domains. For example, replacing a Latin 'a' with a Cyrillic 'а' can create a spoofed domain that appears legitimate to users, enabling phishing or malware distribution.

Steps to Reproduce:

1. Go to https://www.alwaysdata.com/en/register/.
2. Put admin@example.com and then password to create the account.
3. Then, go to again https://www.alwaysdata.com/en/register/.
4. Input admin@example.com and then password to create the account.
5. You can see that account already exsits.

Impact:

Attacker can setup a dns to reset and takeover victim account.
Access personal data of user.
No user interaction required to takover the account.

#Note:

I tested in Bugcrowd and hackerone platform, they doesn't have it.

Thank You,

Waleed Anwar

Closed by  cbay
08.04.2026 13:37
Reason for closing:  Invalid
Admin
cbay commented on 08.04.2026 12:41

Hello,

I'm not sure I understand. Can you send a video where you would takeover an account?

Kind regards,
Cyril

I am not takeovering the account, I am just telling that these email are not same "admin@example.com" & "admin@example.com", but in admin.alwaysdata.com referring these are same. So attacker can easily set a dns to takeover the account.

Admin
cbay commented on 08.04.2026 13:01
but in admin.alwaysdata.com referring these are same

I don't think that's true. I've just tried it and could successfully create both admin@example.com and admin@example.com.

I am sending the video sir

Please have a look sir

Admin
cbay commented on 08.04.2026 13:16

From what I've tested, Chrome does NOT send what you've actually typed but the "canonical" email address.

Try to reproduce with curl.

its 302 found i got it thnks for clarification

Loading...

Available keyboard shortcuts

Tasklist

Task Details

Task Editing