Closed Bug 1637901 Opened 5 years ago Closed 5 years ago

IDN spoofing homograph attacks with U+0105 Latin Small Letter A with Ogonek

Categories

(Firefox :: Address Bar, defect)

Product:
Firefox
Component:
Address Bar
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1507582

People

(Reporter: houjingyi647, Unassigned)

Details

(Keywords: reporter-external, Whiteboard: [reporter-external] [client-bounty-form] [verif?])

Attachments

(1 file)

picture.zip
269.96 KB, application/x-zip-compressed
Details
Attached file picture.zip

Steps to reproduce:

Click on link with Unicode: ą(U+0105) instead of latin a.

Go to https://www.pąypal.com for example.

Actual results:

Address bar shows this like unicode (https://www.pąypal.com)

Expected results:

Address bar should show this in punycode (www.xn--pypal-3wa.com)

Tested on windows10, both firefox 76.0.1 and firefox 77.0b5.

I do not think it is very easy for normal people to notice the difference. Also, I tested chrome and address bar show in punycode.

Flags: sec-bounty?
Group: firefox-core-security
Status: UNCONFIRMED → RESOLVED
Type: task → defect
Closed: 5 years ago
Component: Security → Address Bar
Resolution: --- → DUPLICATE
Summary: (punycode) homograph attacks with ą → IDN spoofing homograph attacks with U+0105 Latin Small Letter A with Ogonek

FWIW, Safari doesn't convert this to punycode either. (And I don't think we should, as a general rule.) Accented Latin letters are perfectly legitimate in domain names. Vowels with ogonek are used (for example) in Polish, and Polish people should be able to have Polish domain names without them being displayed as punycode gibberish.

As this is a known issue, it does not qualify for a bounty.

Flags: sec-bounty? → sec-bounty-
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: