Twitter: Wrong Interpretation of URL encoded characters, showing different punny code leads to redirection on different domain

ID H1:635597
Type hackerone
Reporter mr_edwards
Modified 2019-08-26T16:55:39



There is wrong interpretation of URL encoded characters at endpoint which could lead to different location then what is supposed to.

Although it shows warning but doesn't show warning about punny code characters.


On following characters:

%E2%80%AE - RTLO Character %E2%80%8E - LEFT-TO-RIGHT MARK %E2%80%91 - Non breaking hyphen %E2%80%A9 - PARAGRAPH SEPARATOR %E2%80%AA 0 Right-to-left embedding Interpretation of these characters is different but when we click continue button it will redirect you to some other location.

Steps To Reproduce:

  1. Go to following URL:
  2. You will see that its showing :


But originally you will be redirected to https://xn--moc-4t7s.rettiwt/ when you click continue button.


> But it is not possible to have TLD 'rettiwt'. * counter: We can have URL as follows:


Supporting Material/References:

  • screenshots.


Wrong location redirection.