Closed
Bug 1373860
Opened 7 years ago
Closed 6 years ago
URL spoofing using e.g. Armenian letters (single script plus Latin)
Categories
(Firefox :: Address Bar, defect, P3)
Tracking
()
People
(Reporter: rayyanh12, Unassigned)
References
Details
(Keywords: sec-moderate)
Attachments
(1 file)
|
25.27 KB,
image/png
|
Details |
PoC.png
User Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:53.0) Gecko/20100101 Firefox/53.0 Build ID: 20170518000419 Firefox for Android Steps to reproduce: cnո.com ( http://xn--cn-ded.com/ ) yoսtube.com ( http://xn--yotube-qkh.com/ ) Actual results: - Expected results: It is expected to show the URL in punnycode More Info: “ս” --> U+054D “ո” --> U+0578 Armenian Small Letter
|
||
Comment 1•7 years ago
|
||
dveditz: do we need to revisit the question of whether we should be doing Highly Restrictive vs. Moderately Restrictive, in UTS #39 section 5.2 terms? The difference is: * Allow Latin with other Recommended or Aspirational scripts except Cyrillic and Greek It seems to me that this therefore allows you to find a single letter homograph of any single Latin letter in any Recommended script, and do what's being done here. Unless we want to make a list of all of those and also refuse any domain name which contains only Latin + <List>, I can't see how to avoid dying a death of a thousand cuts here. Gerv
Flags: needinfo?(dveditz)
|
|
||
Updated•7 years ago
|
Summary: URL spoofing → URL spoofing using Armenian letters
|
|
||
Updated•7 years ago
|
Summary: URL spoofing using Armenian letters → URL spoofing using e.g. Armenian letters (single script plus Latin)
|
||
Updated•7 years ago
|
Status: UNCONFIRMED → NEW
Component: Untriaged → Location Bar
Ever confirmed: true
|
||
Comment 3•7 years ago
|
||
Armenian is a bit of an odd case, because the spoofability it offers is highly dependent on font style: there are font styles where the Armenian letters are unmistakably distinct from any Latin ones (including what I see by default on macOS), but there are also styles where several Armenian letters have glyphs that are clear candidates for spoofing. So the "success" of these examples is highly dependent on the default fonts the target system/device is using. Still, given that there are some common Armenian fonts that use the "latin-like" glyph styles, perhaps it should have been excluded (like Cyrillic and Greek) in the rule cited in comment 1.
|
||
Updated•7 years ago
|
Keywords: sec-moderate
|
|
||
Updated•7 years ago
|
status-firefox54:
--- → wontfix
status-firefox55:
--- → wontfix
status-firefox56:
--- → affected
status-firefox-esr52:
--- → affected
|
|
||
Comment 6•7 years ago
|
||
bug 1390965 mentions Ethiopic + Latin. But really, it's a whole bunch of scripts
Flags: needinfo?(dveditz)
|
|
||
Updated•6 years ago
|
Flags: sec-bounty?
|
||
Updated•6 years ago
|
Priority: -- → P3
|
|
||
Comment 11•6 years ago
|
||
This was a known downside to using the "moderately restrictive" profile--the problem was defined in the spec even. Does not qualify for the bounty because it was a known problem. This examples in this bug were fixed by turning on the highly restrictive profile in bug 1399939
Status: NEW → RESOLVED
Closed: 6 years ago
Flags: sec-bounty? → sec-bounty-
Resolution: --- → FIXED
|
||
Updated•6 years ago
|
|
|
||
Updated•6 years ago
|
Group: firefox-core-security → core-security-release
|
|
||
Updated•4 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•