Closed
Bug 1370504
Opened 8 years ago
Closed 8 years ago
URL spoofing via IDN - MODIFIER LETTER APOSTROPHE
Categories
(Firefox :: Address Bar, defect)
Tracking
()
RESOLVED
INVALID
People
(Reporter: rayyanh12, Unassigned)
Details
(Keywords: csectype-spoof)
Attachments
(1 file)
|
20.55 KB,
image/png
|
Details |
PoC.png
User Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:53.0) Gecko/20100101 Firefox/53.0
Build ID: 20170518000419
Firefox for Android
Steps to reproduce:
http://xn--gmail-c2c.com/
Actual results:
By adding this "ʼ" we can actually somehow spoof the URL (especially the inexperienced users)
More info:
Unicode Character 'MODIFIER LETTER APOSTROPHE' (U+02BC)
Expected results:
The URL should be converted into Punnycode
|
||
Comment 1•8 years ago
|
||
Not sure I buy this one. The URL definitely does look different.
Even though it's called "MODIFIER", this isn't a combining mark, AFAICS. So it wouldn't be fixed by restrictions on combining marks.
Gerv
Flags: needinfo?(jfkthame)
You guys can treat this same as punctuation marks in the URL.
|
||
Updated•8 years ago
|
Component: Untriaged → Location Bar
|
||
Comment 3•8 years ago
|
||
(In reply to Gervase Markham [:gerv] from comment #1)
> Not sure I buy this one. The URL definitely does look different.
Indeed. And the fact that U+02BC is allowed in domain names is widely known; see http://www.worldtrademarkreview.com/daily/detail.aspx?g=a241d0a3-b991-4d39-944a-6559d70961f5, and example sites like http://мʼясо.kh.ua/.
Flags: needinfo?(jfkthame)
|
|
||
Updated•8 years ago
|
Summary: URL spoofing via IDN → URL spoofing via IDN - MODIFIER LETTER APOSTROPHE
|
||
Updated•8 years ago
|
Keywords: csectype-spoof
|
|
||
Comment 5•8 years ago
|
||
I think, from the conversation above, we have decided this particular one is "no action" - the difference is fairly clearly visible.
Gerv
Status: UNCONFIRMED → RESOLVED
Closed: 8 years ago
Resolution: --- → INVALID
You need to log in
before you can comment on or make changes to this bug.
Description
•