Hello Guys!! Here is the real time scenario to use Homography.
As I am personalizing my profile URL, I thought to do same with my friend’s one. I tried normally but LinkedIn do not accept as it’s already used.
Finally, it accepted my profile URL https://www.linkedin.com/in/mrreboοt/ as visible as my friend’s https://www.linkedin.com/in/mrreboot/ . Great, now it may be used for any social engineering activities which may lead to loss in reputation etc.,
The actual URL is https://www.linkedin.com/in/mrrebo%CE%BFt/ where I used Homograph character ‘о’ which seems like ‘o’ whose actual punycode is “%CE%BF” from https://www.irongeek.com/homoglyph-attack-generator.php
Same scenario can be used as per the requirement in case of getting fake IDNs, Profile Names etc., for best social engineering and phishing attacks.
Here one more thing found is, LinkedIn does not accept special characters in the URL personalizing, by using this even we can bypass server side validation and can use %CE%BF etc.,
Sad thing, I reported same and LinkedIn considered this as informative finding. As it’s more than 90days from reporting and LinkedIn did not find considerable risk so I am disclosing here.
Let me know if you have any more exploitation scenarios, that may increase the risk.