I Fooled the Filters: Homoglyph Username Bypass Vulnerability — An Overlooked Threat in Major Platforms
Over the past few months, I discovered a recurring security loophole across multiple top-tier platforms, including Google, Samsung, Adobe, Mozilla, and Oppo — a Homoglyph Username Bypass Vulnerability. While it may appear minor at first glance, its phishing and impersonation potential poses a serious risk to user trust and platform integrity.
What’s the Issue?
Most platforms restrict the use of reserved or branded terms like admin, support, google, or company names in usernames to prevent impersonation. However, I found that by leveraging homoglyph characters — characters that look visually similar to Latin characters but are actually different Unicode code points — these filters can be bypassed.
For example:
admin→aԁmin(the "d" is a Cyrillic small letter soft-de)google→gооgle(the "o"s are Cyrillic)uber→Ubеr(the "e" is a Cyrillic character)
These altered usernames look identical to the human eye but evade the platform’s input validation.
Who did I report this to?
Here’s a quick breakdown of where I found the bug and how the vendors responded:
🟢 Mozilla
- Bug: Bypassed the
adminfilter withAdmіn - Status: ✅ Acknowledged
- Reward: $500
- Recognition: Hall of Fame 🎉
🟡 Adobe
- Bug:
adоbe(homoglyph "o") bypassed name restrictions - Status: ✅ Valid
- Points: Added to Hall of Fame
🟡 Samsung
- Bug: Allowed homoglyph spoofed usernames like
SаmsungSupport - Status: Awaiting final decision
- Bug: Same trick — bypassing admin filters with
aԁmin - Status: Rejected as “intended behavior” 🤷♂️
- Feedback: “Not enough user harm” (but come on — phishing risk is real)
🔴 Oppo
- Bug: Username restrictions skipped with Unicode payloads
- Status: Still under review
🧠 Real-World Attack Scenario
A malicious actor could register a homoglyph username like aԁmin or Oрро-Support. Then:
- Engage in forum discussions.
- Reply to user posts asking for sensitive info.
- Drop malicious links disguised as official support.
- Website for crafting Punycode or Homoglyph payloads: https://www.irongeek.com/homoglyph-attack-generator.php
Given the visual similarity, most users wouldn’t notice the subtle character differences, leading to phishing, social engineering, or even account recovery traps if MFA is set by the attacker before the real user attempts to register.
Final Tip
While homoglyph attacks aren’t “flashy” exploits, they’re highly effective in social engineering vectors — often overlooked until damage is done.
My goal with these reports wasn’t just recognition (although I’m grateful for being featured in Adobe and Mozilla’s Halls of Fame 🙌), but to raise awareness about Unicode trickery and advocate for stronger input validation across the web.
Stay sharp, stay ethical. 🧠💻
Want to chat or collaborate on bug bounties or cybersecurity research? Hit me up!
— @icecream_23
Bug Hunter | Ethical Hacker
#HappyHacking
