User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0 Quote from article on Netcraft.com All non-Microsoft browers include a flaw that allows URL spoofing using Unicode characters, which can be exploited by phishing scams seeking to steal login information for online banking accounts. The spoofing flaw, which is demonstrated on the web site of the Shmoo Group, works in the Firefox, Mozilla and Opera browsers, as well as the Safari browser for Macs. The spoof exploits flaws in how the browsers interpret Unicode characters. A link using Unicode characters to replace the letter "a" in "Paypal" will display as www.paypal.com in the browser, but send users to www.xn--pypal-4ve.com - which then displays "www.paypal.com" in its address bar. A similar spoof works on SSL-enabled URLs (https) commonly used on banking and e-commerce sites. LINK to article: http://news.netcraft.com/archives/2005/02/07/nonmicrosoft_browsers_have_spoofing_flaw.html Bug finder: Shmoo Reproducible: Always Steps to Reproduce: 1. Load the website: http://www.shmoo.com/idn/ 2. Click on the paypal links 3. Notice the URL says Paypal but your not on Paypal's site. Actual Results: You go to a site that has a URL that says Paypal.com but essentially your at a totally different site. Expected Results: Show the real address, don't interpret the unicode characters in the URL.
*** This bug has been marked as a duplicate of 279099 ***
Status: UNCONFIRMED → RESOLVED
Last Resolved: 14 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.