Closed
Bug 1356769
Opened 7 years ago
Closed 7 years ago
Phishing Attack Uses Domains Identical to Known Safe Sites
Categories
(Firefox :: Untriaged, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1332714
People
(Reporter: u534134, Unassigned)
Details
User Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
Build ID: 20170323105023
Steps to reproduce:
You can read the Wordfence article here: https://www.wordfence.com/blog/2017/04/chrome-firefox-unicode-phishing/?utm_source=list&utm_medium=email&utm_campaign=041417
Opening in Firefox the website: https://xn--e1awd7f.com/ will show a wrong domain name fake epic.com this can be used for Phishing
Actual results:
From Wordfence:
How is this possible?
The xn-- prefix is what is known as an ‘ASCII compatible encoding’ prefix. It lets the browser know that the domain uses ‘punycode’ encoding to represent Unicode characters. In non-techie speak, this means that if you have a domain name with Chinese or other international characters, you can register a domain name with normal A-Z characters that can allow a browser to represent that domain as international characters in the location bar.
What we have done above is used ‘e’ ‘p’ ‘i’ and ‘c’ unicode characters that look identical to the real characters but are different unicode characters. In the current version of Chrome, as long as all characters are unicode, it will show the domain in its internationalized form.
How to fix this in Firefox:
In your firefox location bar, type ‘about:config’ without quotes.
Do a search for ‘punycode’ without quotes.
You should see a parameter titled: network.IDN_show_punycode
Change the value from false to true.
Expected results:
As you can see both of these domains appear identical in the browser but they are completely different websites. One of them was registered by us, today. Our epic.com domain is actually the domain https://xn--e1awd7f.com/ but it appears in Chrome and Firefox as epic.com.
New Firefox Version 54 (Developers) is also affected by this security issue.
Comment 2•7 years ago
|
||
There is already a public bug on file about this issue.
Group: firefox-core-security
Status: UNCONFIRMED → RESOLVED
Closed: 7 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•