Unicode mirror character?

security unicode

We've talked about attacks using the RLO (U+202E RIGHT TO LEFT OVERRIDE) character in the past, which shifts the 'visual' display of a string from the position it's placed inside that string. So for example:

document[U+202E]fdp.exe visually looks like documentexe.pdf

I talked about these and other attacks of this sort here http://www.casaba.com/products/UCAPI/. In fact we're starting to hear of real world attacks using these techniques to bypass spam and other filters. Firefox closed a bug in their file download dialog box.

I see a big difference between attacks leveraging BIDI text and the playful sort of 'mirror' effects you get from tools like http://txtn.us/mirror-words-flip-text-reverse-words-upside-down-words-and-text.

!luʇmɿɒʜ ƨɒ mɘɘƨ ƚ'nƨɘob ƚxɘƚ bɘɿoɿɿim ɘʜƚ


Well, you can abuse it for pishing attacks. Take this URL for example:

 ‮http://www.example.com?site/moc.elgoog.www//:ptth

It looks like if you click it it will take you to google.com, where in reality it will take you to example.com. Not all browsers support it, though.


There are no digital risks, but there can be human risks as it may cause things to be misread or misinterpreted.

Related

How to create Binance test API key
Regex to Take into Account Preceding Word in Python [duplicate]
Applying strptime function to pandas series
What is thread synchronization and how does it differ form atomicity?
How to fetch Amazon Cognito Identity ID (user_identity_id) for the user from the lambda function?
virtualenv in PowerShell?
Taylor expansion in C++: function factory?
AzureFileCopyV4 failed when uploading to Azure Storage Static Website "$web"
Model bound complex types must not be abstract or value types and must have a parameterless constructor
How to fix: script.js:3 Uncaught TypeError: Cannot set properties of undefined (setting 'backgroundColor') in javascript [duplicate]
Shopify Liquid show content based on dates
can't access model in relations laravel