Closed Bug 1597332 Opened 5 years ago Closed 5 years ago

IDN URL Spoofing using "U+02ec" character

Categories

(Firefox :: Address Bar, defect)

Product:
Firefox
Component:
Address Bar
Version:
70 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1507582

People

(Reporter: jayateertha043, Unassigned)

References

Details

Attachments

(2 files)

chrome-behaviour.png
62.11 KB, image/png
Details
firefox-behaviour
87.10 KB, image/png
Details
Attached image chrome-behaviour.png

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:70.0) Gecko/20100101 Firefox/70.0

Steps to reproduce:

Just Visit https://bugzillaˬmozilla.org/

Actual results:

The URL is spoofed like https://bugzilla.mozilla.org.
whereas the orginal URL is https://xn--bugzillamozilla-xdi.org/.

Expected results:

The expected behaviour is attached as screenshot ,which shows that Google Chrome Browser doesn't render the character in the URL to avoid URL SPOOFING.

Attached image firefox-behaviour

This is firefox behaviour

Component: Untriaged → Address Bar

This doesn't seem like a very convincing "spoof" to me; there's a clear visual difference between "ˬ" and a dot.

Duplicate of bug 1332714, no? (By the way, I see xn--bugzillamozilla-xdi.org in the address bar on macOS Firefox Nightly.)

(In reply to Anne (:annevk) from comment #3)

Duplicate of bug 1332714, no?

If this is a same-script (so latin?) character, sure - feel free to open up and dupe.

(In reply to Anne (:annevk) from comment #3)

(By the way, I see xn--bugzillamozilla-xdi.org in the address bar on macOS Firefox Nightly.)

I still see the IDN version if I drag the URL to a nightly instance. Not sure how you're opening it; is it possible you've toggled a pref to always show punycode on the profile you're using?

Flags: needinfo?(annevk)

This isn't really a dupe of bug 1332714, IMO ... that one is about "whole-script" spoofs, where for example an entirely-Cyrillic label looks the same as an entirely-Latin one, although it's made up of entirely distinct characters.

This case isn't about one script standing in for another in that way; we're looking at a small "modifier letter" ˬ that is classified as Script=Common, so usable in conjunction with any script without triggering punycode rules due to mixed-scripts; the reporter is asserting that it looks sufficiently like a dot that "bugzillaˬmozilla" could be confused with "bugzilla.mozilla". This seems a bit of a stretch to me; it's visually quite distinct on either my macOS or Windows machines, IMO. I suppose a user could overlook the fact that the "little mark between the words" isn't just a dot, but I'd be much more worried about "spoofs" like mozi11a.org than this.

(Turns out depending on how I navigate to the URL I see different results. That's an unrelated issue.)

Jonathan, fair, I guess bug 1376641 or bug 1507582 then. I don't think we need to track all the different ways letters can be used to spoof independently.

Flags: needinfo?(annevk)

I agree with Anne that it doesn't help us to track all of these independently, so I'm going to go ahead and dupe to bug 1507582.

Group: firefox-core-security
Status: UNCONFIRMED → RESOLVED
Closed: 5 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: