Closed Bug 1370504 Opened 5 years ago Closed 5 years ago

URL spoofing via IDN - MODIFIER LETTER APOSTROPHE

Categories

(Firefox :: Address Bar, defect)

53 Branch
defect
Not set
normal

Tracking

()

RESOLVED INVALID

People

(Reporter: rayyanh12, Unassigned)

Details

(Keywords: csectype-spoof)

Attachments

(1 file)

Attached image PoC.png
User Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:53.0) Gecko/20100101 Firefox/53.0
Build ID: 20170518000419
Firefox for Android

Steps to reproduce:

http://xn--gmail-c2c.com/ 


Actual results:

By adding this "ʼ" we can actually somehow spoof the URL (especially the inexperienced users)

More info:
Unicode Character 'MODIFIER LETTER APOSTROPHE' (U+02BC)


Expected results:

The URL should be converted into Punnycode
Not sure I buy this one. The URL definitely does look different.

Even though it's called "MODIFIER", this isn't a combining mark, AFAICS. So it wouldn't be fixed by restrictions on combining marks.

Gerv
Flags: needinfo?(jfkthame)
You guys can treat this same as punctuation marks in the URL.
Component: Untriaged → Location Bar
(In reply to Gervase Markham [:gerv] from comment #1)
> Not sure I buy this one. The URL definitely does look different.

Indeed. And the fact that U+02BC is allowed in domain names is widely known; see http://www.worldtrademarkreview.com/daily/detail.aspx?g=a241d0a3-b991-4d39-944a-6559d70961f5, and example sites like http://мʼясо.kh.ua/.
Flags: needinfo?(jfkthame)
Unhiding as per comment 3.
Group: firefox-core-security
Summary: URL spoofing via IDN → URL spoofing via IDN - MODIFIER LETTER APOSTROPHE
I think, from the conversation above, we have decided this particular one is "no action" - the difference is fairly clearly visible.

Gerv
Status: UNCONFIRMED → RESOLVED
Closed: 5 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.