Closed Bug 1371812 Opened 7 years ago Closed 7 years ago

URL spoofing

Categories

(Firefox :: Address Bar, defect)

Product:
Firefox
Component:
Address Bar
Version:
53 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1370497

People

(Reporter: rayyanh12, Unassigned)

Details

Attachments

(1 file)

PoC.png
6.98 KB, image/png
Details
Attached image PoC.png 
User Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:53.0) Gecko/20100101 Firefox/53.0
Build ID: 20170518000419
Firefox for Android

Steps to reproduce:

http://xn--gmail-bgd.com/ (does not show in punnycode)

What went wrong?

More info:

(latin small letter i with dot above)
 
<U+0069, U+0307>


Actual results:

By adding "i̇" we can actually spoof the URL 

More info:

(latin small letter i with dot above)
 
<U+0069, U+0307>
I kind of distorted the format - Ignore the *What went wront?* part.
Component: Untriaged → Location Bar
This is being discussed in bug 1370497 and it doesn't seem that having 2 bugs open is really useful - the general category of these combining marks is at issue, not individual characters.
Status: UNCONFIRMED → RESOLVED
Closed: 7 years ago
Resolution: --- → DUPLICATE
Group: firefox-core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: