Closed Bug 1366444 Opened 5 years ago Closed 4 years ago

IDN address bar spoofing - LATIN SMALL LETTER A WITH DOT BELOW

Categories

(Firefox :: Untriaged, defect)

53 Branch
defect
Not set
normal

Tracking

()

RESOLVED DUPLICATE of bug 1370497

People

(Reporter: tahir.vb.net, Unassigned)

Details

Attachments

(1 file)

Attached video firefox.mp4
User Agent: Mozilla/5.0 (Windows NT 6.1; rv:53.0) Gecko/20100101 Firefox/53.0
Build ID: 20170518000419

Steps to reproduce:

In this vulnerability If User Type or click special crafted url in address bar then it will redirect to fake phishing website but on firefox address bar, URL of the website will exactly URL of original website.
To Reproduce this case For example attacker send this URL to Victim: http://xn--whatspp-en4c.com   if user click on this, it will goes to fake website and Browser address bar will show real whatsapp.com url but website is not actually whatsapp.com. I also attached the video. 


Actual results:

It show whatsapp.com URL on address bar


Expected results:

It should Show fake website url that is not whatsapp.com
Group: firefox-core-security
Status: UNCONFIRMED → RESOLVED
Closed: 5 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1332714
This is not actually a duplicate of 1332714. 1332714 addresses completely identical characters. This bug has a dot below the a in whatsapp.com, and IS therefore visually distinguishable, although you have to be quite alert to catch it.
(In reply to Benny Amorsen from comment #2)
> This is not actually a duplicate of 1332714. 1332714 addresses completely
> identical characters. This bug has a dot below the a in whatsapp.com, and IS
> therefore visually distinguishable, although you have to be quite alert to
> catch it.

Thanks for the heads-up. I was clearly too hasty - when this issue got widespread attention (and for some time afterwards) there was approximately a dupe a day... :-\


Re-marking sec-sensitive for now. I wonder if this is essentially a dupe of bug 1370497. Gerv / Jonathan, thoughts about what to do here?
Group: firefox-core-security
Status: RESOLVED → REOPENED
Ever confirmed: true
Flags: needinfo?(jfkthame)
Flags: needinfo?(gerv)
Resolution: DUPLICATE → ---
Summary: Address Bar Spoofing and website masking → IDN address bar spoofing - LATIN SMALL LETTER A WITH DOT BELOW
I don't think there is anything useful to do in this situation. It is a perfectly valid domain, it is visually distinguishable (with difficulty). I have reported it as a phishing URL to the Safe Browsing project.

It is not really different from regular non-punycode typo-squatting. The only concerning thing is that it has been allowed to persist for at least 20 days without getting caught by Safe Browsing.

Personally I believe that registering an [a-z0-9] domain name in a mostly-Western top level domain should give you rights to all the accented variations of it as well. I just don't think the browser is the right place to implement that policy.
(In reply to :Gijs from comment #3)
> Re-marking sec-sensitive for now. I wonder if this is essentially a dupe of
> bug 1370497. Gerv / Jonathan, thoughts about what to do here?

Yes, same thing. (See bug 1370497 comment 2, where I even mentioned the example of the dot-below diacritic on a Latin letter.) I don't see much that we can do in the browser here; IMO this is an issue for domain registrars to handle via policy.
Status: REOPENED → RESOLVED
Closed: 5 years ago4 years ago
Flags: needinfo?(jfkthame)
Resolution: --- → DUPLICATE
Duplicate of bug: CVE-2017-7833
Flags: needinfo?(gerv)
What are your final decision it is dupliacete of other bug or not?
Yes, this is a duplicate of bug 1370497.

Gerv
Group: firefox-core-security
You need to log in before you can comment on or make changes to this bug.