In a recent release disclosure , indicate how users use a failure in the username normalization code to gain access to accounts that they did not belong to. The problem was that they used a non-idempotent operation for usernames to check if they were accepted, so ᴮᴵᴳᴮᴵᴿᴰ and BIGBIRD were separate usernames when they shouldn't be.
I would like to allow Unicode usernames for my website, but I do not want to be vulnerable to such attacks. I do not use Python, so I can not use the solution that they offered on their website. Is there any idempotent formula that can be used on any platform (e.g. python, ruby, lua, javascript, .NET, etc.) by supporting Unicode operations that will process two Unicode lines that only have " visual "differences of the same line? Is it as simple as NKFD +, reducing the string?
source share