Spoofing a link to a separate site than what is displayed in the URL/Link text

VERIFIED DUPLICATE of bug 279099

Status

()

Firefox
Address Bar
VERIFIED DUPLICATE of bug 279099
14 years ago
14 years ago

People

(Reporter: colin, Assigned: Ben Goodger (use ben at mozilla dot org for email))

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(URL)

(Reporter)

Description

14 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0

Quote from article on Netcraft.com
All non-Microsoft browers include a flaw that allows URL spoofing using Unicode
characters, which can be exploited by phishing scams seeking to steal login
information for online banking accounts. The spoofing flaw, which is
demonstrated on the web site of the Shmoo Group, works in the Firefox, Mozilla
and Opera browsers, as well as the Safari browser for Macs.

The spoof exploits flaws in how the browsers interpret Unicode characters. A
link using Unicode characters to replace the letter "a" in "Paypal" will display
as www.paypal.com in the browser, but send users to www.xn--pypal-4ve.com -
which then displays "www.paypal.com" in its address bar. A similar spoof works
on SSL-enabled URLs (https) commonly used on banking and e-commerce sites.

LINK to article:
http://news.netcraft.com/archives/2005/02/07/nonmicrosoft_browsers_have_spoofing_flaw.html

Bug finder: Shmoo

Reproducible: Always

Steps to Reproduce:
1. Load the website: http://www.shmoo.com/idn/
2. Click on the paypal links
3. Notice the URL says Paypal but your not on Paypal's site.

Actual Results:  
You go to a site that has a URL that says Paypal.com but essentially your at a
totally different site.

Expected Results:  
Show the real address, don't interpret the unicode characters in the URL.

*** This bug has been marked as a duplicate of 279099 ***
Status: UNCONFIRMED → RESOLVED
Last Resolved: 14 years ago
Resolution: --- → DUPLICATE

Updated

14 years ago
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.