The version 86.0.1 (64-bit) is vulnerable to homograph attack
Categories
(Firefox :: Security, task)
Tracking
()
People
(Reporter: caoyebo1999, Unassigned)
References
()
Details
(Whiteboard: [reporter-external] [client-bounty-form] [verif?])
Attachments
(2 files)
Firefox version: 86.0.1 (64-bit)
System: Windows 10 Home
When I visited a unicode domain consisting of some characters very similar to English characters (https://www.xn--80ak6aa92e.com), the url bar of firefox did not perform any processing, which caused the user to be deceived. Other browsers will convert this to punycode. I remember that firefox has fixed this problem in the previous version, but I don't know why this problem reappeared in my version.
Reporter | ||
Comment 1•3 years ago
|
||
Comment 2•3 years ago
|
||
We've never addressed this directly, so this isn't a new report. You can manually set Firefox to always show punycode in about:config, but of course that isn't an actual solution to the original problem.
The best option I'm aware of to attempt to address this is in bug 1507582, but even that (which is what Chromium does) is not a complete fix and has downsides. There's also limited evidence that this is actively being misused - phishing in general works well enough without trying to spoof the domain name, and such spoofed names have a limited shelf life until they get blocked by safebrowsing...
Updated•3 years ago
|
Description
•