• Unicode lets computer systems support more
languages, allowing for world wide use
• Stores characters with multiple bytes
• It provides a unique number for every character,
no matter what the platform, no matter what the
program, no matter what the language
• Every character has a unique number
• A = U+0041
• < = U+003C
• Classic example: c0rn ;)
o=U+006f, ο=U+03bf, о=U+043e
• Latin Small o, Greek Small O, Cyrillic Small
• Searches for the above can turn up different
results in Google
• Data can be entered using Unicode to disguise
malicious code and permit various Unicode
transformation issues, such as Best-Fit
• Occurs when a character X gets transformed to
an entirely different character Y.
• Character X in the source encoding doesn't exist
in the destination encoding, so the App
attempts to find a best match.
• So the characters are transcoded between
Unicode and another encoding language.
• Lowercase operation on the input after
• The string "script" is prevented by the filter,
but the string "scrİpt" is allowed.
• Possibility of using many lookalikes:
• Unicode character U+FF1C FULLWIDTH LESS-THAN SIGN
(＜) transformed into U+003C LESS-THAN SIGN (<) due
• Unicode Transformation for Cross-Site Scripting or SQL
• %C0%BE = >
• %C0%BC = <
• URL encoded GET input locale is set to
• Here is a part of the HTTP request.
• In the HTTP response, this character was converted to
the short form (<)
<input type="hidden" value="acux5291>z1<z2a�bcxuca5291" name="group">
• Unicode character
is transformed into
• Supported Unicode usernames.
• Existing user account bigbird hijacked.
• Attacker created a new Spotify account with username
ᴮᴵᴳᴮᴵᴿᴰ (string u’u1d2eu1d35u1d33u1d2eu1d35u1d3fu1d30′).
• Send a request for a password reset for your new account.
• A password reset link is sent to the email for your new account. Use
it to change the password.
• Instead of logging into that account with username ᴮᴵᴳᴮᴵᴿᴰ, logged
with username bigbird with the new password.
• Account compromised.
• The canonical_username function only implemented
the first time. Function like “toLower” implemented.
• Users signs up with username BigBird, normalized to
• Another user signs up as ᴮᴵᴳᴮᴵᴿᴰ, which also gets
normalized to BIGBIRD the first time, but bigbird the
• ᴮᴵᴳᴮᴵᴿᴰ requests a password reset email, but with it can
reset bigbird’s account.
• Use Canonicalizing
– Important aspect of input sanitization
– Converting data with various possible
representations into a standard "canonical"
representation deemed acceptable by the
application mapping all characters to lower case
– Treat “BigBird”, “ ᴮᴵᴳᴮᴵᴿᴰ ” and “bigbird” as the same
by Canonicalizing as they would all be mapped to
• The vulnerability was noticed when the compromised
accounts started RETWEETING a tweet with a "♥" symbol
that was followed by a string of code/Parameter.
• Users didn’t even have to click on the tweet sent out by the
Twitter account @derGeruhn. Just the act of viewing the
tweet would cause the user to automatically retweet
• Affected accounts also involuntarily re-tweeted a cross-site
scripting (XSS) code as a result of the vulnerability
• That tweet hit the max re-tweet
over 84,000 times
• TweetDeck didn’t escape HTML-chars if a Unicode-
char is in the tweet -text
• The Unicode-Heart (which gets replaced with an
image by TweetDeck) somehow prevents the Tweet
from being HTML-escaped.
• TweetDeck was not supposed to display this as an
Because it's simple Text,
which should be escaped to
1. When converting strings used in security-
sensitive operations, use documented options
which prevent the use of best-fit mappings.
2. A suitable canonical form should be chosen and
all user input canonicalized into that form before
any authorization decisions are performed.
3. Security checks should be carried out after UTF-
8 decoding is completed.
X is only allowed if X==canonical(X)
• Here’s a chart with all the new emoji in yellow
including my favorite “1F595” which will be a
hit on Twitter.