281674 - International characters can be used for spoofing websites names

Status: VERIFIED DUPLICATE of bug 279099

(Firefox :: General, defect)

Description

[Jason House]

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0

See the page http://secunia.com/multiple_browsers_idn_spoofing_test/ for a
description of the issue as well as a test link.  I did not copy/paste the link
from the status bar because I was not sure if the international characters would
copy right.  

The bottom line is that a site can provide a bogus link.  If the user clicks on
the link to follow it, the deception is complete...  The URL for the site is
imperceptibly different, and if the spoofer did their job right, the page would
look identical.  Check out the sample page for a spoofed version of paypal.

Reproducible: Always

Steps to Reproduce:
1. Go to http://secunia.com/multiple_browsers_idn_spoofing_test/
2. Click on the link that says "Test Now - Left Click On This Link"
3. 

Actual Results:  
The URL says "http://www.paypаl.com/" but the page is clearly not
"http://www.paypal.com".  

Expected Results:  
The second a in paypаl should be detected as a non-standard character (and
actually a different web page/domain name).  This dangerous situation should
somehow be pointed out to the user.

Should the severity of this bug be changed to something higher than normal?  I
think that this could be a significant danger to a Mozilla/Firefox user.

Comment 1

[Phil Ringnalda (:philor)]

If you see it on Secunia, and you don't find it already reported, you can be
99.9999% sure it's because you aren't searching with the right words.

*** This bug has been marked as a duplicate of 279099 ***