I expanded on johns post https://medium.com/@chetan_conikee/case-study-exploiting-a-business-logic-flaw-with-githubs-forgot-password-workflow-discovered-d4d36ee3dd16 … . There are subtleties in the flow
Interesting issue where the password reset flow can allow account take-over if you register an account with a similar email domain with a unicode case collision. More interesting, it impacts Django. https://eng.getwisdom.io/hacking-github-with-unicode-dotless-i/ … https://www.djangoproject.com/weblog/2019/dec/18/security-releases/ …
-
-
Hvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi
-
-
-
Nice easter egg: they use a dotless ‘i’ in the case study right after introducing it as an example of an ASCII normalization collisionpic.twitter.com/iwA6cZUoGy
Hvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi
-
Čini se da učitavanje traje već neko vrijeme.
Twitter je možda preopterećen ili ima kratkotrajnih poteškoća u radu. Pokušajte ponovno ili potražite dodatne informacije u odjeljku Status Twittera.