Jeffrey Yasskin recently pointed out an interesting security bug:
The idea is, if you had registered googlelogoligature.net
then Chrome on Android (and possibly other Google products) would have
displayed it as Google.net, potentially tricking users
into thinking they were really interacting with Google.
To see how this worked, you can try searching Google for ["googlelogoligature"], and you'll see it shows up as "Google":
Poking in devtools, this is dependent on the specific font they're using, "Google Sans". If I turn that off my "googlelogoligature" shows just as I typed it:
Fonts can include "ligatures", which let font designers special-case specific combinations of letters. These were intended to support things like "f" followed by "i" blending into "fi" nicely, but the feature has been (ab)used for many other things, including complex emoji. In this case, Google Sans has a specific way of drawing "googlelogoligature" that looks like a mildly stylized "Google".
Using a ligature to get the Google logo into text-only interfaces is a reasonable product decision, but it shouldn't have been added to a general-purpose font. And especially shouldn't have been added to a font used for rendering attacker-controlled text in security-sensitive contexts.
(When I first saw it I thought this might be an example of a unicode-driven vulnerability, but sadly not.)