Shmoo Group Finds Exploit For non-IE Browsers 621
shut_up_man writes "Saw this on Boing Boing: East coast hacker con Shmoocon ended today and they had a nasty browser exploit to show off... using International Domain Name (IDN) character support to display fake domain names in links and the address bar. Their examples use Paypal (with SSL too) and this looks very useful for phishing attacks. Interesting note that it works in every browser *except* IE (which makes this exploit a lot less dangerous in the end, I suppose)."v The reason IE isn't vulnerable is because it doesn't natively support IDN; with the right plug-in, it too is vulnerable.
So what? (Score:5, Insightful)
Atleast, we can bash FF instead of IE now.
This isn't a newly discovered exploit. (Score:5, Insightful)
This was a big part of the critisism around supporting larger character sets in domain names.
Stop obsessing over Microsoft, please. (Score:2, Insightful)
IE wasn't relevant to this article, yet you found a way to wedge it in and smear it regardless.
The browsers the exploit WAS found for weren't even mentioned by name, yet IE was.
How is this anything except nasty propaganda?
Re:Another IDN bug on Firefox (Score:5, Insightful)
Re:Another IDN bug on Firefox (Score:5, Insightful)
Re:Another IDN bug on Firefox (Score:1, Insightful)
Re:Opera won't fix it? (Score:5, Insightful)
So it will be quite difficult to fix this without breaking and/or changing the standard.
Character apparances (Score:3, Insightful)
I thought this was a well-known attack -- using Unicode characters that look like latin but aren't. As more and more web sites start accepting unicode in user names without policing, I think we'll find more interesting applications for this type of attack.
This is not that different from "spoofing" using this address:
http://www.paypaI.com [paypai.com] I.e. replacing the lower-case L with an upper-case i. (except that paypai.com appens to be taken already, by an annoying site that maximizes the browser window no less.)
Re:Are phishers going to bother with this, though? (Score:4, Insightful)
All it takes is 1% of the 10 percent.
Not all non-IE browsers (Score:3, Insightful)
Re:Are phishers going to bother with this, though? (Score:4, Insightful)
> Are phishers going to bother trying to use this exploit if it works on less than 10% of their potential victims?
They sure are. Think about how many people actually respond to spam messages. It's probably much smaller than 0.01%, but it's still economical enough for the to send out the messages anyway. I'd be fairly confident that the same holds true for phishers, too.
Re:Opera won't fix it? (Score:5, Insightful)
Re:So what? (Score:5, Insightful)
It isn't a fault of the browser or IDNs.
Re:Another IDN bug on Firefox (Score:2, Insightful)
Ah, I get it. When it's about FireFox, it's FUD. When it's about Microsoft, it's just another reason to switch. Am I getting warm?
Talk About Asking For Trouble (Score:3, Insightful)
On one hand, we (the
Don't get me wrong, I'm all about Firefox, but we can't get lazy.
Re:Call me a flamer.... errr (Score:3, Insightful)
misleading commentary (Score:4, Insightful)
While it may be technically true, it's like suggesting Firefox is susceptible to IE's infamous ActiveX vulnerabilities, just because there's an ActiveX plugin for Firefox too. Everyone is quick to jump on MS when there's new IE exploits, but we've got to accept that this seems to be one they got right. Making excuses about plugins doesn't really change that.
Re:Another IDN bug on Firefox (Score:5, Insightful)
Re:network.enableIDN doesn't fix things (Score:2, Insightful)
Re:Another IDN bug on Firefox (Score:5, Insightful)
There are plenty of things people use that they have very little understanding of. They may know the interface of that device or system, but beyond that, it's all a black box to them. Browsers included.
If you go by your statement of "if you don't understand it, don't use it", I'm sure there are plenty of things you can eliminate out of your own life as well.
Re:Another IDN bug on Firefox (Score:3, Insightful)
Re:Are phishers going to bother with this, though? (Score:5, Insightful)
Re:Stop obsessing over Microsoft, please. (Score:5, Insightful)
What about to the people who have the plugin for IDN? This is a place for geeks, and there are bound to be people that have that sort of plugin. Saying IE isn't affected is pretty much false in that light.
Re:Spin again (Score:1, Insightful)
Wrong. IDN is supposed to be a standard. IE does not support it, but this is not really a positive thing.
Note that IE (just like the other browsers) does not do anything to warn you when you are going to www.paypaI.com instead of www.paypal.com. This is exactly the same old trick as the one described in this advisory, except that it relies on similarities between ASCII characters (capital i and l) instead of ASCII vs non-ASCII characters.
Re:Bug or feature? (Score:4, Insightful)
Do tell me when you became the world. Just because you personally likely won't use a feature doesn't mean it isn't useful for someone out there (what's the population of China and Japan combined?)
A Possible Temporary Browser Solution (Score:2, Insightful)
i.e.
Re:Another IDN bug on Firefox (Score:2, Insightful)
Exploits (Score:3, Insightful)
Well, if we're going to disregard them on those grounds, we might as well disregard ActiveX exploits too (since FireFox doesn't support it). An exploit is an exploit. Don't play the game of justification.
p.s. I use Firefox.
Browsers ~!= Linux (Score:4, Insightful)
If the site spoofed were a trusted site for firefox extensions they could get some code to execute on the box. They could package a root kit and take control of a Linux or Mac, or the Buffer overflow du jour to take control of a Windows machine. Granted the Linux would be the most difficult due the the large variation of distros (and each distro differs on opinion where file belong), compiler options, etc.
For a truly secure OS, you should remove all applications and just run the OS in its pure state.
Firefox 1.0.1 (Score:2, Insightful)
Bug in browser, or in Unicode? (Score:3, Insightful)
This seems to be more of a bug in Unicode than in the browsers. Unicode has defined multiple character codes as having the exact same glyph. I thought we'd already run into this in Unicode with multiple long representations of the same character, decided it was a bad thing and corrected it by making any representation longer than the shortest illegal. Shouldn't we do the same thing here, and simply make it illegal to have multiple character codes appearing as the same glyph?
Re:Why? (Score:3, Insightful)
Can anyone please tell me why people "hack" or "phish" or anything that is used for malicious activity? I'm not trying to start an argument, I seriously want to know why some people spend so much time trying to make others lives miserable.
Money.
Think for a minute why it would be beneficial to the bad guys to have people logging into their site with valid PayPal usernames and passwords.
Re:misleading commentary (Score:3, Insightful)
The issue at hand here is that Firefox did not create IDN. Microsoft _did_ create ActiveX. The blame falls in both cases on Microsoft for being slow to implement something and absolutely ignorant to create ActiveX.
In other words, if there is a spoofing exploit in css3 and Microsoft has not implemented it, is it the people who implemented it who are at fault or the people who created it? You're looking towards the wrong people for this problem I believe.
Re:notepad (Score:3, Insightful)
Re:Another IDN bug on Firefox (Score:3, Insightful)
Obviously, everyone went ahead and implemented IDN anyway, without fixing the problem. I mean, this is the computer industry after all...
Re:misleading commentary (Score:3, Insightful)