# The Power of a Special Character: Bypassing Email Validation *** **This writeup is from a great hacker called *****coffinxp7***.\ He has strong skills in hacking and loves to share useful tips with the community.\ Big thanks to him — keep sharing, bro! 💪\ Check out his channel here: [@lostsecc](https://www.youtube.com/@lostsecc) 📄 **Writeup link:** \[[ clciked here](https://infosecwriteups.com/the-most-underrated-0-click-account-takeover-using-punycode-idn-attacks-c0afdb74a3dc)] *** **This writeup talks about how a simple mistake can lead to full account takeover just by using a special character**\ (like Cyrillic or Unicode) that can **trick the backend**. **Why this happens:**\ The backend doesn’t have rules to tell it that this email: is different from this one:\ hackme\@gmаil.com← look at the "а" XD *** Got it! Here's your corrected version with the emails shown in **normal text** (not in code format): *** **Who to Look For!** **First:**\ Try this type of bug (or any hard critical bug) **at the beginning of your hunt**, because it gives you ideas about how the backend works — and can lead to **fast wins**. If it’s an open target, try logging in with any email, like:\ You want to check first if the backend has any **filtering rules** or not.\ You need to **look for the errors**. The most famous error is:\ \&#xNAN;**“Email already exists”** So how do you test this? After signing up with your normal email, go to the login page again — but this time **change the email** from:\ \ to:\ hackme\@gmаil.com← (You can inject other special characters too, but…) ⚠️ Sometimes the security layer is only on the **user interface**.\ So always try to **intercept with Burp** and change the email from the **proxy request**. ✅ Don’t waste time — if you get a good error message, this can **upgrade to account takeover**. But how? Here’s a simple way:\ If the backend doesn’t care, the attacker can create a real email like:\ **test\@gmаil.com**\ Then go to the next best function (I love this one):\ \&#xNAN;**“Reset Password”**, and do the **same scenario**. If the backend doesn't care, you will **receive the password reset link** and you can **take over the account**. And boom — report it! 🎯

🛠️ Tools used: * Burp Suite * Burp Collaborator * Punycode Generator ( [you can find the script here ](https://github.com/coffinxp/scripts/blob/main/punycode_gen.py?source=post_page-----c0afdb74a3dc---------------------------------------)) * (Optional) Interactsh *** **More resoures :** It’s a good write-up from Fares Walid that helps you understand the power of special characters. {% embed url="" %} {% embed url="" %} {% embed url="" %} **Note:** You don’t need to do this on a real target. Sometimes it’s hard to get emails with special characters. If you find this issue, just report it using collaboration. you can used the collobrtion by this way

--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://captinsharky-organization.gitbook.io/captin-sharky/bug-bounty/expline-good-writeups/the-power-of-a-special-character-bypassing-email-validation.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.