Comment by minikomi
10 years ago
Hmm. Not really related, but now that it seems to be fixed - I discovered that using an equals sign in your name was enough to be "locked out" of Airbnb - it wrecked the cookie & every page would return 403. No bug bounty though haha. Guess it wasn't enough of an "attack vector" to try and convince someone to change their name.
I know of an online store that if you use a + in your email address, will fail to charge you for any goods you order.
I'm assuming because something somewhere on their backend assumes that '+' is an invalid email character and refuses to process the job. This is unbelievably common.
I remember finding somewhere that let me sign up with a +, but not log in with it - unless I disabled client-side validation, at which point the server was happy to let me in.
If you ever order from HobbyKing (not the store I mentioned previously) do NOT have a plus in your email. It gets converted silently to a space in their internal systems and their customer support has absolutely 0 access or escalation.
They outsource everything, and ultimately it took me months to sort everything out.
That's insanely insecure. Can't believe client side validation would be used for a login system other than as a first check
3 replies →
I hope I get lucky with something like that one day!
It's more usual that the front end thinks '+' is invalid too. The usual result is that my signup attempt is blocked. And when I send them feedback about it, I'm roundly ignored.
I had all kinds of trouble trouble with my abc@firstname.lastname.name mailadress. Some did not recognize .name. Others had trouble with the third level domain. Sometimes the sign-up worked but something in the backend broke...
I can't even change my email adress to my .me domain on facebook because they keep telling me it's an invalid domain ending.