Open Bug 1927812 Opened 1 year ago Updated 1 year ago

IDN policy bypass using ī (U+012B)

Categories

(Firefox :: Address Bar, defect, P3)

Product:
Firefox
Component:
Address Bar
Type:
defect

Tracking

()

People

(Reporter: aaron.dewes, Unassigned)

References

(Depends on 1 open bug)

Details

(Keywords: reporter-external, Whiteboard: [client-bounty-form])

Domain names containing ī (There's a real world phishing page rīpple.net using this currently) can easily be confused for domain names containing i.

This issue is also present in chromium and I reported it to them too.

Probably not eligible for the Bug Bounty, because I didn't come up with it. Not sure what's your policy with that, I don't expect a bounty here, but thought it wouldn't hurt to try 😉

Flags: sec-bounty?

I couldn't find an exact duplicate although this character sounds familiar. The general class of confusables is a well-known problem with no easy solution, though. See bug 1332714 and bug 1376641.

https://rīpple.net/ is an exact copy of https://ripple.com -- but why did they bother with the IDN character spoof when https://ripple.net is available for sale? Maybe it cost too much.

Group: firefox-core-security
Status: UNCONFIRMED → NEW
Component: Security → Address Bar
Depends on: 1376641
Ever confirmed: true
See Also: → 1332714
Severity: -- → S3
Priority: -- → P3

This is pretty much the same as the existing bugs, not duping because it's an interesting exploited example.
I think there was an old effort to ship a list of topp500 Alexa or such to check for confusables, though it never took off.

Flags: sec-bounty? → sec-bounty-
You need to log in before you can comment on or make changes to this bug.