Closed
Bug 1721870
Opened 3 years ago
Closed 3 years ago
Unicode characters (Latin Extended Additional) being processed in Address Bar leading to possible phishing attack
Categories
(Firefox :: Security, defect)
Firefox
Security
Tracking
()
RESOLVED
DUPLICATE
of bug 1507582
People
(Reporter: neeran92, Unassigned)
References
()
Details
(Whiteboard: [reporter-external] [web-bounty-form] [verif?])
Attachments
(1 file)
1.77 MB,
application/x-zip-compressed
|
Details |
[Issue]
Firefox (even the latest version) processes any Unicode characters (Latin Extended Additional) in the address bar and shows the processed version to the user which might lead to a possible phishing attack. I've taken the time to get a domain and replicate the issue so that it would be easier for you guys to replicate the issue / understand what issue I'm getting at. Hope this helps and gets patched soon!
[Steps to reproduce]
- Purchase a domain name. Specifically an ASCII version of "ȧpple.com" which turns out to be "xn--pple-pzb.com"
- Setup DNS records and point it to a server hosting a static site.
- Launch the latest version of Firefox and Browse to "xn--pple-pzb.com"
[Actual Results]
- Firefox processes "xn--pple-pzb.com" in the address bar and displays the Unicode version, "ȧpple.com" in the address bar to the end-user.
(Shown below: how Firefox processes Unicode characters {Latin Extended Additional})
[Expected Results]
- Firefox should have kept "xn--pple-pzb.com" in the address bar which gives the user a better opportunity at avoiding the possible phishing attack and eventually stopping the user from getting compromised.
- Other Chromium-based browsers I've tested such as Chrome, Brave, Opera, and Microsoft Edge display the URL in ASCII format, protecting the users from a possible phishing attack.
- Firefox should not process the Unicode characters (Latin Extended Additional) but instead, display them in the ASCII format so users have another layer of protection and are able to identify phishing attacks before it's too late!
[Shown below: how other browsers process Unicode characters (Latin Extended Additional)]
Flags: sec-bounty?
Group: websites-security → firefox-core-security
Component: Other → Security
Product: Websites → Firefox
Comment 1•3 years ago
|
||
Chrome allows those characters in general, but they have an internal list of popular domains that they check for similarities.
Status: UNCONFIRMED → RESOLVED
Type: task → defect
Closed: 3 years ago
Resolution: --- → DUPLICATE
Hey,
Thanks for the quick response!
My initial finding was that chrome displays the term in ASCII and firefox doesn't. I'm aware that chrome has an internal list which it checks against and warns the user. (I got that warning).
I've read the linked report, thanks again!
Flags: needinfo?(jhofmann)
Comment 3•3 years ago
|
||
Not aware of any additional information I could add here :)
Updated•3 years ago
|
Flags: needinfo?(jhofmann)
Updated•3 years ago
|
Flags: sec-bounty? → sec-bounty-
Updated•3 years ago
|
Group: firefox-core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•