Email Security Flaw Exposes Zero-Click Vulnerability

A recently disclosed zero-click vulnerability exposes a critical flaw in how web applications handle internationalized email addresses, allowing attackers to hijack accounts without any user interaction.

A report by Kavichselvan in Cyber Security News claims that the vulnerability enables adversaries to bypass phishing tactics entirely and gain full account access by exploiting inconsistencies in how different systems interpret email addresses.

This poses a serious threat to the integrity of password reset and “magic link” login mechanisms, which serve as key components of user authentication frameworks.

The issue originates from a canonicalization mismatch involving Unicode and Punycode. It allows non-Latin characters in domain names, while Punycode converts these characters into ASCII for compatibility with Internet infrastructure. 

When an attacker registers a domain using visually confused characters, such as a Cyrillic “o” in place of a Latin “o”, and submits a password reset request, some application components may fail to detect the difference.

This creates an opportunity to route privileged links to the attacker’s domain rather than the intended user’s.

In documented cases, attackers crafted email addresses that appeared identical to legitimate ones but resolved to attacker-controlled Punycode domains.

The front-end or validation logic accepted the addresses as valid, but mail systems delivered the reset link to the attacker’s domain. The legitimate user remained unaware while their account was silently compromised.

The flaw arises from different layers of the system: user interfaces, validation rules, databases, and mail servers, which interpret the same address differently.

Legal teams should be aware of the potential legal exposure related to data protection and breach notification obligations arising from this zero-click vulnerability.

Companies should ensure the consistent normalization and validation of email addresses across all systems and assess liability risks associated with compromised accounts resulting from improper email handling.