Closed Bug 1721870 Opened 3 years ago Closed 3 years ago

Unicode characters (Latin Extended Additional) being processed in Address Bar leading to possible phishing attack

Categories

(Firefox :: Security, defect)

Product:
Firefox
Component:
Security
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1507582

People

(Reporter: neeran92, Unassigned)

References

(
URL
)

Details

(Whiteboard: [reporter-external] [web-bounty-form] [verif?])

Attachments

(1 file)

Firefox (even the latest version) processes any Unicode characters (Latin Extended Additional) in the address bar and shows the processed version to the user which might lead to a possible phishing attack as the URL seems like something it isn't. Explaine
1.77 MB, application/x-zip-compressed
Details

[Issue]
Firefox (even the latest version) processes any Unicode characters (Latin Extended Additional) in the address bar and shows the processed version to the user which might lead to a possible phishing attack. I've taken the time to get a domain and replicate the issue so that it would be easier for you guys to replicate the issue / understand what issue I'm getting at. Hope this helps and gets patched soon!

[Steps to reproduce]

  • Purchase a domain name. Specifically an ASCII version of "ȧpple.com" which turns out to be "xn--pple-pzb.com"
  • Setup DNS records and point it to a server hosting a static site.
  • Launch the latest version of Firefox and Browse to "xn--pple-pzb.com"

[Actual Results]

  • Firefox processes "xn--pple-pzb.com" in the address bar and displays the Unicode version, "ȧpple.com" in the address bar to the end-user.

(Shown below: how Firefox processes Unicode characters {Latin Extended Additional})

[Expected Results]

  • Firefox should have kept "xn--pple-pzb.com" in the address bar which gives the user a better opportunity at avoiding the possible phishing attack and eventually stopping the user from getting compromised.
  • Other Chromium-based browsers I've tested such as Chrome, Brave, Opera, and Microsoft Edge display the URL in ASCII format, protecting the users from a possible phishing attack.
  • Firefox should not process the Unicode characters (Latin Extended Additional) but instead, display them in the ASCII format so users have another layer of protection and are able to identify phishing attacks before it's too late!

[Shown below: how other browsers process Unicode characters (Latin Extended Additional)]

Flags: sec-bounty?
Group: websites-security → firefox-core-security
Component: Other → Security
Product: Websites → Firefox

Chrome allows those characters in general, but they have an internal list of popular domains that they check for similarities.

URL: http://xn--pple-pzb.com/http://ȧpple.com/
Status: UNCONFIRMED → RESOLVED
Type: task → defect
Closed: 3 years ago
Resolution: --- → DUPLICATE

Hey,

Thanks for the quick response!

My initial finding was that chrome displays the term in ASCII and firefox doesn't. I'm aware that chrome has an internal list which it checks against and warns the user. (I got that warning).

I've read the linked report, thanks again!

Flags: needinfo?(jhofmann)

Not aware of any additional information I could add here :)

Flags: needinfo?(jhofmann)
Flags: sec-bounty? → sec-bounty-
Group: firefox-core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: