Closed Bug 1367442 Opened 7 years ago Closed 7 years ago

IDN URL Spoofing with TIFINAGH LETTER YAN

Categories

(Core :: Networking, defect)

Product:
Core
Component:
Networking
Version:
53 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: rbcomic12, Unassigned)

References

Details

User Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:53.0) Gecko/20100101 Firefox/53.0
Build ID: 20170518000419

Steps to reproduce:

there are some letters which are exactly look alike, I don't know if they're allowed or not but if they're allowed then we've got a serious problem over here.

For example: 

-) “ⵏ” U+2D4F --> http://xn--appe-220c.com/ ( http://appⵏe.com )







Actual results:


In the above example; It is extremely difficult (nearly impossible) to distinguish b/w apple.com AND http://xn--appe-220c.com/


Expected results:

It should covert it into punnycode.
This is a mixed script domain, so it shouldn't work... But if I put xn--appe-220c.com into my "localhosts" file, it does indeed seem to. Unless we use different behaviour for that, this seems wrong.

This character should not be allowed according to:
http://www.unicode.org/Public/security/latest/IdentifierStatus.txt
or even
http://www.unicode.org/Public/security/8.0.0/xidmodifications.txt

jfkthame: over to you again... Why are we allowing this character at all, and why is our script-mixing code not firing?

Gerv
Flags: needinfo?(jfkthame)
Basically the same answer as bug 1364283 comment 3: Tifinagh is "Aspirational Use" (http://www.unicode.org/reports/tr31/#Aspirational_Use_Scripts), and therefore allowed to be mixed with Latin in the Moderately Restrictive profile (http://www.unicode.org/reports/tr39/#Restriction_Level_Detection).

This will be changing in the forthcoming update to UAX#31, and the patch just landed in bug 1364283 implements the change (in anticipation) in Firefox, so that should resolve the issue.

(FWIW, the example in comment 0 doesn't seem problematic on my machine, as the “ⵏ” character is visibly quite different from a Latin "l". But that would be dependent on the particular fonts; the result probably varies between systems.)
Flags: needinfo?(jfkthame)
This appears to be fixed by bug 1364283
Group: firefox-core-security → network-core-security
Status: UNCONFIRMED → RESOLVED
Closed: 7 years ago
Component: Untriaged → Networking
Depends on: CVE-2017-7764
Product: Firefox → Core
Resolution: --- → FIXED
Group: network-core-security → core-security-release
This is effectively a duplicate of the issues raised by bug 1364283, reported on May 11, so does not qualify for bounty. The patch on bug 1364283 fixed this issue when it was checked in today.
Flags: sec-bounty? → sec-bounty-
Can you cc me on the respective bug?
Flags: needinfo?(mcmanus)
(In reply to rbcomic12 from comment #5)
> Can you cc me on the respective bug?

I'll leave that up to al. Thanks for the report.
Flags: needinfo?(mcmanus) → needinfo?(abillings)
Can you please update me with the information? Thanks.
CC'd
Flags: needinfo?(abillings)
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.