Status bar URL spoofing without Javascript (using IDN whole-script confusables)
Categories
(Core :: DOM: Core & HTML, defect, P3)
Tracking
()
People
(Reporter: nowasky.jr, Unassigned)
References
(Depends on 1 open bug)
Details
(Keywords: csectype-spoof, reporter-external, sec-low, Whiteboard: [reporter-external] [client-bounty-form] [verif?])
POC: data:text/html,<form action=http://xn--mozlla-r9a.com/ method=post><a href=https://mozilla.com><input type=submit style=all:unset value=https://mozilla.com>
Spoofing the URL shown in the status bar when hovering a link is a well-known case when using Javascript and probably cannot be fixed without breaking websites.
Users that want to avoid this behavior end up using browser extensions or disabling Javascript altogether.
This report shows how the status bar can be spoofed without using Javascript by using a form and an anchor tag. This can be abused to perform phishing attacks against the user base previously described.
The POC shows a link pointing to https://mozilla.com that will lead to https://mozılla.com (note the 'ı' that is not converted into punnycode) to make the attack more convincing.
Comment 1•3 years ago
|
||
This is the same as Thunderbird bug 1470673. I couldn't find a Firefox equivalent, but of course there should be one since they share the browser engine that's responsible for this behavior. Unless we find that dupe this can stand in for it. It doesn't need to be hidden since the other one is public.
Updated•3 years ago
|
Updated•3 years ago
|
Updated•3 years ago
|
Updated•3 years ago
|
Updated•3 years ago
|
Updated•2 years ago
|
Updated•29 days ago
|
Description
•