Closed Bug 281439 Opened 19 years ago Closed 19 years ago

Serious security issue -- phishing vulnerability

Categories

(Firefox :: General, defect)

x86
All
defect
Not set
major

Tracking

()

RESOLVED DUPLICATE of bug 279099

People

(Reporter: roland.sippel, Assigned: bugzilla)

References

()

Details

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; de-AT; rv:1.7.3) Gecko/20040910
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; de-AT; rv:1.7.3) Gecko/20040910

A demo at "The state of homograph attacks von Eric Johanso" showed
https://www.paypal.com/ being spoofed, certificate and all. phishing
vulnerability works wiht http:// AND https:// !!! 

Also the published work around (about:config > network.enableIDN > false) does
not work. This only works while Firefox is running. Once it restarts IDN works
even though the setting is still false. You have to enable and re disable each
time you run Firefox. It looks like a bug in Firefox's initialisation. 

Reproducible: Always

Steps to Reproduce:
1. https://www.pаypal.com/) shows https://www.paypal.com/)
Decimal 1072 in Unicode for a cyrillic Letter: a

Works in Firefox AND Mozilla !!

Actual Results:  
Show wrong URL and wrong Security Certificate

Expected Results:  
Solotion: Mark non ASCII-Char -RED-
Please follow bug reporting guidelines when filing bugs, especially the one
about searching for duplicates.

*** This bug has been marked as a duplicate of 279099 ***
Status: UNCONFIRMED → RESOLVED
Closed: 19 years ago
Resolution: --- → DUPLICATE
Group: security
Not much point using the confidential flag to hide a bug based on public
information.
You need to log in before you can comment on or make changes to this bug.