Material Symbols Ligature Origin Spoof Test

Current hostname:

Tests apakah target app UI (Brave Wallet, permission prompts, dll) menggunakan Material Symbols font yang akan render ligature substring (mis. verified, home, lock) sebagai icon glyph instead of plain text.

Control: how Material Symbols renders these words on this page

With Material Symbols Outlined font loaded:

verified home lock search settings download error info account_circle

those words above render as ICONS (✓ 🏠 🔒 🔍 ⚙ ⬇ ⚠ ℹ 👤) when Material Symbols font is applied.

Same text without the font (plain):

verified home lock search settings download error info account_circle

plain text.

Key insight: kalo target app's UI uses Material Symbols font for origin display text, the substring di hostname akan render sebagai icon glyph instead of letters. Most apps DON'T use Material Symbols for body text (it's an icon font, not text font) — but if any do for origin display, that's the bug.

Recommended subdomains untuk test

Bikin satu atau lebih subdomain berikut, host this PoC di sana, then open in target app:

SubdomainWord that may render as iconIcon if renderedTrust signal impact
verified.syarif07.my.idverified✓ checkmarkHIGHEST (verified badge)
home.syarif07.my.idhome🏠 houseHIGH (looks legit)
lock.syarif07.my.idlock🔒 padlockHIGH (security signal)
search.syarif07.my.idsearch🔍 magnifierMEDIUM
account.syarif07.my.idaccount👤 personMEDIUM

My pick: verified.syarif07.my.id — kalo rendered, looks like "✓.syarif07.my.id" = strongest trust spoof.

Test buttons (sama seperti Google Sans test)

Brave Wallet UI

Chromium permissions (test di Chrome iOS / macOS / Android)

What to screenshot

For each prompt that opens, screenshot the area showing the origin/hostname text. Look for:

Test on multiple apps if subdomain is set up: