Closed Bug 1697894 Opened 7 months ago Closed 7 months ago

The version 86.0.1 (64-bit) is vulnerable to homograph attack

Categories

(Firefox :: Security, task)

task

Tracking

()

RESOLVED DUPLICATE of bug 1332714

People

(Reporter: caoyebo1999, Unassigned)

References

()

Details

(Whiteboard: [reporter-external] [client-bounty-form] [verif?])

Attachments

(2 files)

Attached video 20210312_034733.mp4

Firefox version: 86.0.1 (64-bit)
System: Windows 10 Home
When I visited a unicode domain consisting of some characters very similar to English characters (https://www.xn--80ak6aa92e.com), the url bar of firefox did not perform any processing, which caused the user to be deceived. Other browsers will convert this to punycode. I remember that firefox has fixed this problem in the previous version, but I don't know why this problem reappeared in my version.

Flags: sec-bounty?
Attached image firefox.png

We've never addressed this directly, so this isn't a new report. You can manually set Firefox to always show punycode in about:config, but of course that isn't an actual solution to the original problem.

The best option I'm aware of to attempt to address this is in bug 1507582, but even that (which is what Chromium does) is not a complete fix and has downsides. There's also limited evidence that this is actively being misused - phishing in general works well enough without trying to spoof the domain name, and such spoofed names have a limited shelf life until they get blocked by safebrowsing...

Group: firefox-core-security
Status: UNCONFIRMED → RESOLVED
Closed: 7 months ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1332714
Flags: sec-bounty? → sec-bounty-
You need to log in before you can comment on or make changes to this bug.