$3,000 Bounty!😱😱 | Puny-Code Account Takeover | P1 Bug POC

📢 Disclaimer: This video is intended for educational purposes only. The techniques and tools shared in this video are meant to help you learn and grow as a cybersecurity enthusiast or ethical hacker. Please use this knowledge responsibly. Any misuse of the information provided is strictly discouraged. ⸻⸻⸻⸻⸻⸻ 🔗 Stay Connected with Me: 📸 Instagram:   / cyberhead._   📬 Contact for Collaborations: [email protected] ⸻⸻⸻⸻⸻⸻ 🎯 Courses & Learning Resources: 🔥 Beginner Bug Bounty Bootcamp (My Course): 👉 https://creator.tagmango.app/bugbount... 📚 Free Bug Bounty Books Collection: 👉 https://drive.google.com/drive/u/0/mo... 🔧 Top 100 Vulnerabilities PDF: 👉 https://drive.google.com/file/d/1N61M... ⸻⸻⸻⸻⸻⸻ REPORT TEMPLATE : Summary: An attacker can take over any existing user account. This is achieved using Unicode homoglyphs. By using visually identical Unicode characters (like ü instead of u) in the local part of the email, the attacker bypasses email uniqueness checks and tricks the system into sending reset password links to their own email address, thereby achieving 0-click Account Takeover (ATO). Technical Details: Inconsistency Root Cause: 1. MySQL treats visually similar Unicode characters (homoglyphs) as equal during comparisons (e.g., 𝖺 == a). 1. SMTP/email systems treat these addresses as distinct and will send emails to the exact Unicode address provided. If your backend: 1. Looks up email in the DB using user input (e.g., SELECT * FROM users WHERE email = '[email protected]') 1. Sends the reset link to that same input → Then, the attacker receives the reset link for a legitimate account. Steps to Reproduce: Victim Email: 1. Let’s create the legitimate user : [email protected] (already registered on the site) Attacker Preparation: 2. Register a visually similar email (e.g., hü[email protected]) on a free email service that accepts Unicode. Exploitation: 3. Go to: [https://Example.com/account/register 4. Use a normal email appended with Burp Collaborator (to detect SMTP activity): Example: [email protected] 5. Register the account 6. Now try to create another account with a visually similar but punycode-encoded email: hü[email protected] 7. In browser, this may be rejected due to punycode — so: Open Burp Suite. Intercept the registration POST request. Modify the email field manually to: hü[email protected] 8. The app will return an error such as: "Email already exists" 9. This confirms MySQL treats both emails as equal 10. Now visit: [Example.com/account/login] 11. Click on "Forgot Password" 12. Input the Unicode email: hü[email protected] 13. Submit the form 14. Look for outbound SMTP traffic to the Collaborator. 15. This confirms the reset password email was sent to the attacker's email, not the actual victim's. 16. Access the reset password link 17. Set a new password. 18. Login to the real account using: [email protected] 19. You now control the victim's account. Impact: 1. Full account takeover without user interaction. 2. Bypass of email uniqueness and authentication integrity. 3. Can be automated for mass exploitation if email pattern is known. Proof of concept: Video attached demonstrating the vulnerability. Reference Article : https://blog.voorivex.team/puny-code-... ⸻⸻⸻⸻⸻⸻ 👍 Don’t forget to LIKE, COMMENT, and SUBSCRIBE for more practical content on bug bounty and ethical hacking. 🛎️ Hit the bell icon so you never miss an update!