🧟 Emojis can be wicked

hume

Horacio Rivero

Posted on February 27, 2020

🧟 Emojis can be wicked

This is a brief history of two great applications that provide similar services, which own similar problems.

All started as a kind of joke, it occurred to me when try create an account with a user name that contains an unicode character of atral plane emm for example a typical emoji, assuming that the sanitization system was going to correctly remove these especial characters and then was going to issue an error, as expected of course, to my surprise this never was happeneds..
I found something more interesting.

If you are wondering what the hell is an astral plane unicode character, u can read this great article and understand how those little bastards work in javascript πŸ™ƒ.

emojis in js

Emojis in javascript

The stage:

  • The system doesn't care that the email address that you entered really exist, as some say in the mexican glossary "les vale verga",
    while u respecting the pattern: asdasd@asdasd.com everything would be valid.

  • They didn't have a captcha system, i could create all the accounts i wanted necesary, thousands.

  • They don't have a correct param sanitization method.

  • Point in favor had a clouflare WAF system,
    so I could not use Tor nodes to create thousands of accounts, i would need rotary proxies or botnets etc.

The result:

Alt Text

Eager to continue having fun, I decided to go try another delivery system,
following the same steps.

I entered the registration page and introduced my evil emoji πŸ¦„, i have baptized this fuzzimoji (fuzzing whit emojis πŸ₯΄).
Guess what happened?, yes exactly the same but the result was worse.

The stage:

  • Information disclosure,the emoji had free passage and it can make an exception directly in the ORM system πŸ˜‚, due to a fault in the Mysql database πŸ’£, is it exploitable?, yes in some contexts, i found this: Hacking with unicode

The error: org.hibernate.exception.GenericJDBCException: could not execute statement

  • They didn't have a captcha system, i could create all the accounts i wanted.

  • They don't have a correct param sanitization method.

  • They have a WAF system, you are going to have to use some systems like, Bypass and detect WAF system for bypass the WAF, bullshit! 🀭, Nop, they does not have one, or some fraud detection system like Maxmind, you can create thousands of acounts using diferentes Tor nodes it is a really simple task, then they would be a very difficult task for theys to filter or find a search pattern to remove all bot accounts.

  • Point in favor, you must enter a valid email account, but can used a temporal account generator temp-mail

  • Second point in favor, you will need many phone numbers,
    but it is possible to pass this limitation πŸ˜‰.

The result:

result

I already assumed that this could happen, it was no accident, but investigating among other cases.

You might wonder what produced the good mistake, it is something very simple.

Turns out MySQL’s utf8 charset only partially implements proper UTF-8 encoding. It can only store UTF-8-encoded symbols that consist of one to three bytes; encoded symbols that take up four bytes aren’t supported.

Since astral symbols (whose code points range from U+010000 to U+10FFFF) each consist of four bytes in UTF-8, you cannot store them using MySQL’s utf8 implementation.

You can read about this in mysql-utf8mb4

Conclusion what is for my the real impact of this

  • Someone could create thousands of accounts and place thousands of orders to different places generating huge losses, since it is possible to make payments at the door or at home, no credit card is required.

  • Someone could raise the position of your business doing, placing auto orders.

  • Someone could send a few deliverys to my worst enemy πŸ‘».

  • Someone could make the largest congregation of al times of deliveries in Latin America by sending all to the same place at the same time.
    If you are some person of marketing team, you can make it happen, simply say it was a mistake, simply blame it was the programmers fault, think in this, is free publicity, then sit in your chair to wait for your boss's thanks πŸ˜‰.

  • Go deeper and exploit some vulnerability with the data obtained.

Note 🚨: I do not want to make an apology for the crime or improper use of the application, on the contrary i hope they will solve it,
if they think it necessary.
I also don't take responsibility for what the people can do with this information, take it with humor, everything is a joke.

For me it was just a funny and interesting anegdota that I wanted to share with all. These are two large Latin American companies with thousands of employees, test departments and systems engineers, people who detect fraud etc, but it seems that sometimes the smallest details can escape their hands and can cause huge connotations.

Leave me your opinion greetings!

πŸ’– πŸ’ͺ πŸ™… 🚩
hume
Horacio Rivero

Posted on February 27, 2020

Join Our Newsletter. No Spam, Only the good stuff.

Sign up to receive the latest update from our blog.

Related

🧟 Emojis can be wicked
security 🧟 Emojis can be wicked

February 27, 2020