Closed Bug 1353813 Opened 7 years ago Closed 7 years ago

IDN Homograph Attack

Categories

(Firefox :: Untriaged, defect)

Product:
Firefox
Component:
Untriaged
Version:
52 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1332714

People

(Reporter: techcens, Unassigned)

Details

Attachments

(1 file)

Screenshot (50).png
35.01 KB, image/png
Details
Attached image Screenshot (50).png 
User Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
Build ID: 20170323105023

Steps to reproduce:

First make a html file with the following HTML codes-

  believe me this is real ask.com ->  <a href="">ask.com</a>

Now as we can see , the browser supposed to show this http://xn--as-3pa.com in the url bar when we click "ask.com" (which is just a text) . But if we click it , it gets converted into fake "ask.com" domain.

The thing that mostly needs to fix is (screenshot 50) that when we put the cursor on our fake URL it should have told us where the link is sending us , instead it converts these into punycodes and we see a valid ask.com domain.


Actual results:

Even after putting a link like this "http://xn--as-3pa.com" , there's no way a user can understand that it has been spoofed. 


Expected results:

I have seen other similar bug reports there you guys have said that you guys don't want url bars to stop converting domains to punycodes. But the thing is , here clearly the "href" is telling the browser to go here "http://xn--as-3pa.com" but below it shows its going to ask.com

Which you can look in microsoft edge and any other browser is not normal. Browser like microsoft edge shows where the link is taking me. 
To prove that its not normal i have added other browser's screenshots too
* First make a html file-   believe me this is real ask.com ->  <a href="http://xn--as-3pa.com">ask.com</a>
FWIW, on Mac, all three browsers (Firefox, Safari and Chrome) do the same thing - show the IDN in the status bar and attempt to navigate to the IDN. When it fails due to site not found, the IDN is displayed in the URL bar.

So, if Firefox is violating a script-mixing rule here, it's no different from the other two. Someone might want to determine what scripts are being mixed in this example.

Reporter mentions IE and Edge, and I don't have a Windows machine in front of me at the moment to confirm myself.
Status: UNCONFIRMED → RESOLVED
Closed: 7 years ago
Resolution: --- → DUPLICATE
If it was normal other browsers like-

Microsoft Edge
IE 10
Brave Browser

would probably had done the same thing. I reported the issue on chromium too they said it was a duplicate but its on a fixing process.

And the android version is also vulnerable the thing that im trying to prove the most is that the link preview, its not working the way it should had worked

if you look at the android version of firefox there if you 

see this html file with following code

believe me this is real ask.com ->  <a href="http://xn--as-3pa.com">xn--as-3pa.com</a>

And hold your finger on the ask.com it will show the link preview. Now if you notice the href is nor taking me to ask.com its taking me here xn--as-3pa

Now here the issue could be something like this lets say a user brought a fancy domain like that without having any punycodes knowledge what will happen?

the guy is trying to show his viewer this site xn--as-3pa.com

But instead the domain is getting converted into another domain
The reason my bug is not duplicate is because the other report is mentioning about the url bar im not talking about the url bar its the link preview option
Group: firefox-core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: