Bypass of Restricted Keyword "Mozilla" in Display Name Field via Unicode Homoglyphs on addons.allizom.org

## Summary: A restricted keyword bypass vulnerability exists on the Firefox Add-ons platform (addons.allizom.org) that allows an attacker to register a display name visually identical to “Mozilla” by using a Unicode homoglyph character. This circumvents the intended restriction and can be used to impersonate official accounts, mislead users, or perform social engineering attacks. ## Steps To Reproduce: 1. Log in to your account at: https://addons.allizom.org 1. Navigate to the Edit Profile page: https://addons.allizom.org/en-GB/firefox/users/edit 1. In the Display Name field, enter the keyword: **Mozilla** You will receive the error: "This display name cannot be used". 1. Instead, enter the following homoglyph-modified string: Ꮇozilla (The “M” is replaced with U+13B7: Cherokee Letter Mo) 1. Submit the form — the bypassed name is accepted successfully. 1. Visit your profile and confirm that the display name appears as: Mozilla ## Supporting Material/References: PoC01.png: The original name "Mozilla" being blocked as restricted. ██████████ PoC02.png: Homoglyph generation tool showing the use of Unicode character Ꮇ. {F4630667} PoC03.png: Profile shows display name “Mozilla” using homoglyph payload {F4630665} PoC04.png: This shows how a phishing account look like using Homoglyph Attack {F4630666} ## Impact ## Summary: This vulnerability allows an attacker to impersonate trusted, official accounts like “Mozilla,” leading to: - Brand impersonation - Trust exploitation - Potential phishing attacks - User manipulation or confusion in developer communities It undermines the platform’s existing keyword blacklist meant to protect trusted identities