Closed Bug 1376242 Opened 7 years ago Closed 7 years ago

URL Spoofing via ETHIOPIC COMBINING VOWEL LENGTH MARK

Categories

(Firefox :: Address Bar, defect)

Product:
Firefox
Component:
Address Bar
Version:
54 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1370497

People

(Reporter: rayyanh12, Unassigned)

References

Details

Attachments

(1 file)

PoC.png
23.92 KB, image/png
Details
Attached image PoC.png 
User Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0
Build ID: 20170608105825

Steps to reproduce:

http://xn--facebook-br9a.com/ (does not show in punnycode)

What went wrong?
By adding this *፞* (notice the dot above asterisk) we can actually spoof the URL.

More info:

U+135E: ETHIOPIC COMBINING VOWEL LENGTH MARK


Actual results:

-


Expected results:

-
Gerv: I assume this is a duplicate of the more generic bug about combining marks, bug 1370497? Or possibly the script-mixing one bug 1373860.

On MacOS (10.11.6) this fails as a spoof because that character appears to be unsupported in the fonts we use -- I just get a box and it's not even close to what it's trying to spoof.
Component: Untriaged → Location Bar
Flags: needinfo?(gerv)
Rayyan: you can stop filing new bugs about every character you think is spoofable. I promise you, it won't increase your chances of getting a bounty :-) If you have new characters which are covered by the two generic bugs (bug 1370497 for combining marks, and bug 1373860 for single-script-plus-Latin), please add them there. Please only file new bugs for new classes of spoofing.

Thanks,

Gerv
Status: UNCONFIRMED → RESOLVED
Closed: 7 years ago
Flags: needinfo?(gerv)
Resolution: --- → DUPLICATE
Gerv, could you cc me on bug 1373860, please? Thanks.
Flags: needinfo?(gerv)
Done.

Gerv
Flags: needinfo?(gerv)
Group: firefox-core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: