281578 - Spoofing a link to a separate site than what is displayed in the URL/Link text

Status: VERIFIED DUPLICATE of bug 279099

(Firefox :: Address Bar, defect)

Description

[colin]

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0

Quote from article on Netcraft.com
All non-Microsoft browers include a flaw that allows URL spoofing using Unicode
characters, which can be exploited by phishing scams seeking to steal login
information for online banking accounts. The spoofing flaw, which is
demonstrated on the web site of the Shmoo Group, works in the Firefox, Mozilla
and Opera browsers, as well as the Safari browser for Macs.

The spoof exploits flaws in how the browsers interpret Unicode characters. A
link using Unicode characters to replace the letter "a" in "Paypal" will display
as www.paypal.com in the browser, but send users to www.xn--pypal-4ve.com -
which then displays "www.paypal.com" in its address bar. A similar spoof works
on SSL-enabled URLs (https) commonly used on banking and e-commerce sites.

LINK to article:
http://news.netcraft.com/archives/2005/02/07/nonmicrosoft_browsers_have_spoofing_flaw.html

Bug finder: Shmoo

Reproducible: Always

Steps to Reproduce:
1. Load the website: http://www.shmoo.com/idn/
2. Click on the paypal links
3. Notice the URL says Paypal but your not on Paypal's site.

Actual Results:  
You go to a site that has a URL that says Paypal.com but essentially your at a
totally different site.

Expected Results:  
Show the real address, don't interpret the unicode characters in the URL.

Comment 1

[:Gavin Sharp [email: gavin@gavinsharp.com]]

*** This bug has been marked as a duplicate of 279099 ***