undefined | Better HN

0 pointsrurban10mo ago0 comments

Search for homoglyph attacks and the unicode security guidelines for identifiers

0 comments

3 comments · 1 top-level

rwmj10mo ago· 2 in thread

OK that is pretty interesting. For the TL;DR crowd, the exploit was:

  if(environmentǃ=ENV_PROD){
    // bypass authZ checks in DEV
    return true;
  }

where the 'ǃ' is a Unicode homoglyph (U+1C3 "LATIN LETTER ALVEOLAR CLICK") which obviously completely changes the nature of the code.

I'll note that GCC gives a clear warning here ("suggest parentheses around assignment used as truth value"), so as always, turn on -Werror and take warnings seriously!

quuxplusone10mo ago

The shown code is JavaScript; it wouldn't compile as C, because "environment[alveolar-click]" was never declared, and C requires declare-before-use. Does the advice to use GCC -Werror still apply to JavaScript? (I'd guess no, but I don't know for sure if I'm missing something.)

rwmj10mo ago

It compiles fine as C (using gcc-15.1.1-2.fc43.x86_64). Here's the complete program that I tested before posting the comment above:

  int environmentǃ;
  int main()
  {
    if(environmentǃ=0){
      // bypass authZ checks in DEV
      return 0;
    }
    return 1;
  }

The output of GCC is:

  $ gcc -Wall test.c
  test.c: In function ‘main’:
  test.c:4:6: warning: suggest parentheses around assignment used as truth value [-Wparentheses]
      4 |   if(environmentǃ=0){
        |      ^~~~~~~~~~~~

In a real exploit you'd have to be smarter about hiding the variable declaration (maybe in a library or something).

j / k navigate · click thread line to collapse