Firefox, Camino, Mozilla, Konqueror, Opera, Omniweb, Safari, Netscape IDN Spoofing Security Issue
- 0
- Add a Comment
- No Related Post
And right before Patch Tuesday, too…
Gnomie Jerry points out that, “The Firefox workaround does not work with either Mac or Win versions. Try it, then restart the browser. Even though it still shows IDN as disabled, it still allows the exploit.”
The state of homograph attacks
“…III. The details
Proof of concept URL:
http://www.shmoo.com/idn/
Clicking on any of the two links in the above webpage using anything but IE should result in a spoofed paypal.com webpage.
The links are directed at “http://www.pаypal.com/”, which the browsers punycode handlers render as www.xn--pypal-4ve.com.
This is one example URL - - there are now many ways to display any domain name on a browser, as there are a huge number of codepages/scripts which look very similar to latin charsets.
Phishing attacks are the largest growing class of attacks on the internet today. I find it amusing that one of the large early adopters of IDN offer an ‘Anti-Phishing Solution’ [6].
Finally, as a business trying to protect their identity, IDN makes their life very difficult. It is expected there will be many domain name related conflicts related to IDN.
Vulnerable browsers include (but are not limited to):
Most mozilla-based browsers (Firefox 1.0, Camino .8.5, Mozilla 1.6, etc)
Safari 1.2.5
Opera 7.54
Omniweb 5…
IV. Detection
There are a few methods to detect that you are under a spoof attack. One easy method is to cut & paste the url you are accessing into notepad or some other tool (under OSX, paste into a terminal window) which will allow you to view what character set/pagecode the string is in. You can also view the details of the SSL cert, to see if it’s using a punycode wrapped version of the domain (starting with the string ‘xn-’.
V. Workaround
You can disable IDN support in mozilla products by setting ‘network.enableIDN’ to false. There is no workaround known for Opera or Safari.
VI. Vendor Responses
Verisign: No response yet.
Apple: No response yet.
Opera: They believe they have correctly implemented IDN, and will not be making any changes.
Mozilla: Working on finding a good long-term solution; provided clear workaround for disabling IDN.”
Full article: The state of homograph attacks
Cory Doctorow’s blog entry with easy instructions for disabling IDN support in Mozilla - Firefox support for IDN cannot be disabled:
Shmoo Group exploit: 0wn any domain, no defense exists
Secunia Advisory: SA14163
Konqueror IDN Spoofing Security Issue
Secunia Advisory: SA14162
Opera IDN Spoofing Security Issue
Secunia Advisory: SA14154
OmniWeb IDN Spoofing Security Issue
Secunia Advisory: SA14166
Safari IDN Spoofing Security Issue
Secunia Advisory: SA14164
Netscape IDN Spoofing Security Issue
Secunia Advisory: SA14165