Closed
Bug 1467806
Opened 6 years ago
Closed 6 years ago
URL spoofing via long RTL URIs
Categories
(Firefox :: Address Bar, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1419391
People
(Reporter: 0xsobky, Unassigned)
Details
Attachments
(3 files, 2 obsolete files)
screenshot.png
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:60.0) Gecko/20100101 Firefox/60.0 Build ID: 20180605171542 Steps to reproduce: 1. Open the attached testcase. 2. Click on the "Spoof" link. 3. Firefox displays "example.com" in place of the real origin "xn--mgbh0fb.xn--mgberp4a5d4ar". Note that in a real attack, no user interaction is required. An attacker would just need to buy/register an Internationalized domain name (like this one "مثال.السعودية") and use it to host the spoof. The same result can be achieved by simply redirecting from: http://xn--mgbh0fb.xn--mgberp4a5d4ar/000000000000000000000000000000000000000000000000000000000000000000000000000000000 To: http://xn--mgbh0fb.xn--mgberp4a5d4ar/example.com/000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Also note that it's trivial to spoof the protocol as well as the SSL lock icon by prefixing "example.com" in the URL above with "https://" and by obtaining an SSL certificate for the domain name used to host the spoof. Actual results: The real origin is hidden, and "example.com" is displayed instead. Expected results: The real origin "xn--mgbh0fb.xn--mgberp4a5d4ar" should be displayed in the address bar.
I've updated the testcase to increase the `setTimeout()` delay so that it's easier to reproduce on slow connections (the spoof happens after 3 seconds now). I also prepended "\uD83D\uDD12https://" to "example.com" so that it looks like a secure connection. As mentioned earlier, if the attacker owns an Internationalized domain name and has an SSL certificate, this spoof would not require any user interaction, timers, or the fake Unicode padlock (just URL redirection).
Attachment #8984445 -
Attachment is obsolete: true
This is how the address bar looks like in the second testcase.
Attachment #8984450 -
Attachment is obsolete: true
|
||
Comment 4•6 years ago
|
||
Pretty sure this is a dupe. We should right-align the URI for RTL TLDs, and fade on the left. Marco, do you know where we track this?
Component: Untriaged → Address Bar
Flags: needinfo?(mak77)
|
||
Comment 5•6 years ago
|
||
I suspect Bug 1419391.
Status: UNCONFIRMED → RESOLVED
Closed: 6 years ago
Flags: needinfo?(mak77)
Resolution: --- → DUPLICATE
FWIT, Firefox for Android is also affected. The origin can be hidden entirely using a URL like the following: http://xn--mgbh0fb.xn--mgberp4a5d4ar/000000000000000000000000000000000000000000000000000000000000000000000000000000000000 (shortened: https://bit.ly/originhide)
|
|
||
Comment 7•6 years ago
|
||
The android bug should be filed apart in the Firefox For Android product. The 2 codebases for the UI don't have a lot in common.
|
||
Updated•2 years ago
|
Group: firefox-core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•