Closed Bug 1356769 Opened 5 years ago Closed 5 years ago

Phishing Attack Uses Domains Identical to Known Safe Sites

Categories

(Firefox :: Untriaged, defect)

52 Branch
defect
Not set
normal

Tracking

()

RESOLVED DUPLICATE of bug 1332714

People

(Reporter: u534134, Unassigned)

Details

User Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
Build ID: 20170323105023

Steps to reproduce:

You can read the Wordfence article here: https://www.wordfence.com/blog/2017/04/chrome-firefox-unicode-phishing/?utm_source=list&utm_medium=email&utm_campaign=041417

Opening in Firefox the website: https://xn--e1awd7f.com/ will show a wrong domain name fake epic.com this can be used for Phishing


Actual results:

From Wordfence:
How is this possible?

The xn-- prefix is what is known as an ‘ASCII compatible encoding’ prefix. It lets the browser know that the domain uses ‘punycode’ encoding to represent Unicode characters. In non-techie speak, this means that if you have a domain name with Chinese or other international characters, you can register a domain name with normal A-Z characters that can allow a browser to represent that domain as international characters in the location bar.

What we have done above is used ‘e’ ‘p’ ‘i’ and ‘c’ unicode characters that look identical to the real characters but are different unicode characters. In the current version of Chrome, as long as all characters are unicode, it will show the domain in its internationalized form.
How to fix this in Firefox:

In your firefox location bar, type ‘about:config’ without quotes.

Do a search for ‘punycode’ without quotes.

You should see a parameter titled: network.IDN_show_punycode

Change the value from false to true.


Expected results:

As you can see both of these domains appear identical in the browser but they are completely different websites. One of them was registered by us, today. Our epic.com domain is actually the domain https://xn--e1awd7f.com/ but it appears in Chrome and Firefox as epic.com.
New Firefox Version 54 (Developers) is also affected by this security issue.
There is already a public bug on file about this issue.
Group: firefox-core-security
Status: UNCONFIRMED → RESOLVED
Closed: 5 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1332714
You need to log in before you can comment on or make changes to this bug.