Closed Bug 1697894 Opened 3 years ago Closed 3 years ago

The version 86.0.1 (64-bit) is vulnerable to homograph attack

Categories

(Firefox :: Security, task)

Product:
Firefox
Component:
Security
Type:
task

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1332714

People

(Reporter: caoyebo1999, Unassigned)

References

(
URL
)

Details

(Whiteboard: [reporter-external] [client-bounty-form] [verif?])

Attachments

(2 files)

20210312_034733.mp4
2.27 MB, video/mp4
Details
firefox.png
181.96 KB, image/png
Details
Attached video 20210312_034733.mp4

Firefox version: 86.0.1 (64-bit)
System: Windows 10 Home
When I visited a unicode domain consisting of some characters very similar to English characters (https://www.xn--80ak6aa92e.com), the url bar of firefox did not perform any processing, which caused the user to be deceived. Other browsers will convert this to punycode. I remember that firefox has fixed this problem in the previous version, but I don't know why this problem reappeared in my version.

Flags: sec-bounty?
Attached image firefox.png

We've never addressed this directly, so this isn't a new report. You can manually set Firefox to always show punycode in about:config, but of course that isn't an actual solution to the original problem.

The best option I'm aware of to attempt to address this is in bug 1507582, but even that (which is what Chromium does) is not a complete fix and has downsides. There's also limited evidence that this is actively being misused - phishing in general works well enough without trying to spoof the domain name, and such spoofed names have a limited shelf life until they get blocked by safebrowsing...

Group: firefox-core-security
Status: UNCONFIRMED → RESOLVED
Closed: 3 years ago
Resolution: --- → DUPLICATE
Flags: sec-bounty? → sec-bounty-
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: