It makes you wander how wide spread this vulnerability could be with two independent implementations found so far. Iām guessing this was found when someone audited the Django email comparison code after reading about the GutHub one.
Everyone who maintains a password reset form should be auditing for the same issue ASAP.
Yep, and goes to show that the intricacies of character encoding need to be more well-understood by developers, instead of the incredibly small subset of Unicode Wizards leading the way and everyone else (me included) barely keeping up.
Naturally, the top-rated comment in the thread you linked makes a much better point than I ever could!
https://news.ycombinator.com/item?id=21809390
https://eng.getwisdom.io/hacking-github-with-unicode-dotless...
It makes you wander how wide spread this vulnerability could be with two independent implementations found so far. Iām guessing this was found when someone audited the Django email comparison code after reading about the GutHub one.
Everyone who maintains a password reset form should be auditing for the same issue ASAP.