URL spoofing on Android with U+03XX (Combining Dots)
Categories
(Fenix :: Toolbar, defect, P5)
Tracking
(Not tracked)
People
(Reporter: sdna.muneaki.nishimura, Unassigned)
References
()
Details
(Keywords: csectype-spoof, sec-low, Whiteboard: [reporter-external] [client-bounty-form] [verif?][geckoview:m83])
Attachments
(2 files)
UI on Firefox for Android (Stable 68.11.0, also Fenix Beta/Nightly) doesn't handle U+030X (Combining Dots) in URL correctly.
This can be used for address bar spoofing (Case 1) and similar URL spoofings (Case 2).
Case 1. U+0307 (combining dot above) over latin "j" can spoof address bar
- Launch http://xn--java-qwc.net/ by Firefox on Android (Stable, also Fenix)
- URL "java.net/" is shown in address bar
- Tap Padlock icon in address bar
- Address Not Found modal also shows "http://www.java.net/"
Case 2. U+323 (combining dot below) can spoof URL somewhere other than address bar
- Launch http://www.xn--google-e4d.com by Firefox on Android (Stable, also Fenix)
- Address bar correctly shows "goog̣le.com" (i.e., goog[U+323]le.com)
- Tap Padlock icon in address bar
- Address Not Found modal shows "http://www.google.com/" without U+323
- Also tap Tab icon on the left side of address bar
- Current tab list also shows "google.com" without U+323
Case 1 & 2 should show U+03XX (Combining Dots) as Firefox on PC do.
|
||
Updated•4 years ago
|
|
||
Updated•4 years ago
|
|
||
Updated•4 years ago
|
|
|
||
Updated•4 years ago
|
|
||
Comment 1•4 years ago
|
||
This looks like Fenix work rather than GV work.
|
||
Updated•4 years ago
|
|
|
||
Comment 2•4 years ago
|
||
(In reply to Kevin Brosnan [:kbrosnan] from comment #1)
This looks like Fenix work rather than GV work.
Indeed, maybe the font that we're using doesn't display these characters correctly? From what I can see we always send the right string to the app.
|
|
||
Comment 3•4 years ago
|
||
I created a test page that has links and content with some problem words for the combining dot above case https://www.kevinbrosnan.net/testcases/unicode-0x0307.html
In the java.net case this comes down to were the font chooses to display the combining dot. In many cases fonts like Arial the font places the combining dot above in the same location as the dot in i or j. It looks like in content for links we may do some fuzzing on the glyph location to try to make it obvious as possible about the extra mark. I don't know what platform tools Android has to combat against confusable strings. On Android there is a separate issue that the common fonts Droid and Roboto don't seem to have the unicode glyph as they fail my ̇xerox test.
Jeff would you check to see what font we use in the address bar and compare it to the problem places such as the address bar search, tabs tray and the page info dialog.
|
|
||
Comment 4•4 years ago
|
||
|
|
||
Comment 6•4 years ago
|
||
This is really like our generic bug about combining characters, where they count as "same-script" so we don't detect or block them because they have many legit uses. The alternate approach is the do a "skeleton" compare to "popular" domains like Chrome is doing, which has the potential advantage to catch similar but old-school spoofing like paypai.com or paypa1.com
This is the Fenix specific version of that work. I wouldn't dupe it because I suspect it will happen in the front and and will have to be reimplemented for Fenix.
|
|
||
Updated•4 years ago
|
|
|
||
Comment 7•3 years ago
|
||
Created: https://github.com/mozilla-mobile/fenix/issues/17550
For Fenix tracking and changes.
|
|
||
Updated•3 years ago
|
|
|
||
Updated•3 years ago
|
|
|
||
Comment 8•3 years ago
|
||
Given that the desktop bugs are open there is not any value in hiding this bug.
|
||
Updated•2 years ago
|
|
|
||
Updated•2 years ago
|
Description
•