← Back to context

Comment by rurban

4 days ago

https://github.com/rurban/libu8ident

Search for homoglyph attacks and the unicode security guidelines for identifiers

4 comments

rurban

Reply
rwmj  4 days ago

OK that is pretty interesting. For the TL;DR crowd, the exploit was:

  if(environmentǃ=ENV_PROD){
    // bypass authZ checks in DEV
    return true;
  }

where the 'ǃ' is a Unicode homoglyph (U+1C3 "LATIN LETTER ALVEOLAR CLICK") which obviously completely changes the nature of the code.

I'll note that GCC gives a clear warning here ("suggest parentheses around assignment used as truth value"), so as always, turn on -Werror and take warnings seriously!

  • quuxplusone  4 days ago

    The shown code is JavaScript; it wouldn't compile as C, because "environment[alveolar-click]" was never declared, and C requires declare-before-use. Does the advice to use GCC -Werror still apply to JavaScript? (I'd guess no, but I don't know for sure if I'm missing something.)

    • rwmj  4 days ago

      It compiles fine as C (using gcc-15.1.1-2.fc43.x86_64). Here's the complete program that I tested before posting the comment above:

        int environmentǃ;
  int main()
  {
    if(environmentǃ=0){
      // bypass authZ checks in DEV
      return 0;
    }
    return 1;
  }

      The output of GCC is:

        $ gcc -Wall test.c
  test.c: In function ‘main’:
  test.c:4:6: warning: suggest parentheses around assignment used as truth value [-Wparentheses]
      4 |   if(environmentǃ=0){
        |      ^~~~~~~~~~~~

      In a real exploit you'd have to be smarter about hiding the variable declaration (maybe in a library or something).