Closed
Bug 1353813
Opened 7 years ago
Closed 7 years ago
IDN Homograph Attack
Categories
(Firefox :: Untriaged, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1332714
People
(Reporter: techcens, Unassigned)
Details
Attachments
(1 file)
35.01 KB,
image/png
|
Details |
User Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0 Build ID: 20170323105023 Steps to reproduce: First make a html file with the following HTML codes- believe me this is real ask.com -> <a href="">ask.com</a> Now as we can see , the browser supposed to show this http://xn--as-3pa.com in the url bar when we click "ask.com" (which is just a text) . But if we click it , it gets converted into fake "ask.com" domain. The thing that mostly needs to fix is (screenshot 50) that when we put the cursor on our fake URL it should have told us where the link is sending us , instead it converts these into punycodes and we see a valid ask.com domain. Actual results: Even after putting a link like this "http://xn--as-3pa.com" , there's no way a user can understand that it has been spoofed. Expected results: I have seen other similar bug reports there you guys have said that you guys don't want url bars to stop converting domains to punycodes. But the thing is , here clearly the "href" is telling the browser to go here "http://xn--as-3pa.com" but below it shows its going to ask.com Which you can look in microsoft edge and any other browser is not normal. Browser like microsoft edge shows where the link is taking me. To prove that its not normal i have added other browser's screenshots too
* First make a html file- believe me this is real ask.com -> <a href="http://xn--as-3pa.com">ask.com</a>
Comment 3•7 years ago
|
||
FWIW, on Mac, all three browsers (Firefox, Safari and Chrome) do the same thing - show the IDN in the status bar and attempt to navigate to the IDN. When it fails due to site not found, the IDN is displayed in the URL bar. So, if Firefox is violating a script-mixing rule here, it's no different from the other two. Someone might want to determine what scripts are being mixed in this example. Reporter mentions IE and Edge, and I don't have a Windows machine in front of me at the moment to confirm myself.
Updated•7 years ago
|
Status: UNCONFIRMED → RESOLVED
Closed: 7 years ago
Resolution: --- → DUPLICATE
If it was normal other browsers like- Microsoft Edge IE 10 Brave Browser would probably had done the same thing. I reported the issue on chromium too they said it was a duplicate but its on a fixing process. And the android version is also vulnerable the thing that im trying to prove the most is that the link preview, its not working the way it should had worked if you look at the android version of firefox there if you see this html file with following code believe me this is real ask.com -> <a href="http://xn--as-3pa.com">xn--as-3pa.com</a> And hold your finger on the ask.com it will show the link preview. Now if you notice the href is nor taking me to ask.com its taking me here xn--as-3pa Now here the issue could be something like this lets say a user brought a fancy domain like that without having any punycodes knowledge what will happen? the guy is trying to show his viewer this site xn--as-3pa.com But instead the domain is getting converted into another domain
The reason my bug is not duplicate is because the other report is mentioning about the url bar im not talking about the url bar its the link preview option
Updated•7 years ago
|
Group: firefox-core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•