Shmoo Group Finds Exploit For non-IE Browsers 621
shut_up_man writes "Saw this on Boing Boing: East coast hacker con Shmoocon ended today and they had a nasty browser exploit to show off... using International Domain Name (IDN) character support to display fake domain names in links and the address bar. Their examples use Paypal (with SSL too) and this looks very useful for phishing attacks. Interesting note that it works in every browser *except* IE (which makes this exploit a lot less dangerous in the end, I suppose)."v The reason IE isn't vulnerable is because it doesn't natively support IDN; with the right plug-in, it too is vulnerable.
Another IDN bug on Firefox (Score:5, Informative)
To disable IDN as a workaround for this problem (on Gecko-based browsers): hit about:config [about] and set network.enableIDN to false.
Re:Another IDN bug on Firefox (Score:5, Insightful)
Re:Another IDN bug on Firefox (Score:4, Informative)
Re:Another IDN bug on Firefox (Score:3, Interesting)
Recon spyware coders will implement this in their programs now so it'll work in MSIE.
Re:Another IDN bug on Firefox (Score:4, Informative)
On the other hand, this is nothing new. This was predicted a long time ago when debating on how to handle websites with charactersets incompatible with the ones used in Western countries
Re:Another IDN bug on Firefox (Score:5, Informative)
Re:Another IDN bug on Firefox (Score:3, Insightful)
Obviously, everyone went ahead and implemented IDN anyway, without fixing the problem. I mean, this is the computer industry after all...
Comment removed (Score:4, Informative)
Re:Another IDN bug on Firefox (Score:2, Interesting)
Look at the source, its obvious there
Re:Another IDN bug on Firefox (Score:5, Funny)
There is! Run I.E. in a VirtualPC window.
Re:Another IDN bug on Firefox (Score:3, Informative)
Two: The only way to see that you are not at paypal (unless you notice the flash-by in the status bar) is to look at the certificate details. For the POC site, the certificate was issued to "www.xn--pypal-4ve.com"
We all read those certs every time, neh?
Re:Another IDN bug on Firefox (Score:3, Informative)
Re:Another IDN bug on Firefox (Score:5, Informative)
Maybe it is a problem in the Firefox startup code not setting enableIDN properly.
Re:Another IDN bug on Firefox (Score:3, Informative)
Re:Another IDN bug on Firefox (Score:5, Informative)
While you can view the certificate in Firefox, it takes a whopping 4 clicks to get the info that shows the page is bogus (double click the lock icon, click security tab, click view cert). The average user will never find it. Even the above average users will be thrown by the General tab which shows the spoofed URL as though it were the real one. If they don't actively hunt down all indications that a site may be spoofed, they're going to be fooled.
What's worse, is that Safari doesn't even give the option to view certificates that it thinks are valid (not expired and signed by a valid root CA).
Ouch.
Re:Another IDN bug on Firefox (Score:4, Interesting)
The old MS spoofing quick-patch... (Score:4, Funny)
Re:Another IDN bug on Firefox (Score:3, Informative)
-nB
Re:Another IDN bug on Firefox (Score:2, Informative)
Re: (Score:3, Informative)
notepad (Score:5, Informative)
next:
Trolls can have a couple of days fun on slashdot.
And verisign van sell a lot of domains to phishers. (profit!)
Re:notepad (Score:3, Interesting)
A few more browser tests (and IE *is* affected) (Score:5, Informative)
Netscape 3.04 sees http://www.p?ypal.com/ -- looks the same in docsource
OffByOne 3.4a sees http://www.p0ypal.com/ -- looks the same in docsource
K-Meleon 0.9 sees http://www.p?ypal.com/ -- looks like http://www.pypal.com/ in docsource
IE 5.00.2314.1003 (yes, minor builds can make a *big* difference in how IE displays stuff) sees it as http://www.paypal.com/, but the "a" is about half normal size (this is at 1024x768). Docsource as IE feeds it to notepad looks like http://www.pypal.com/
Mozilla 1.5 sees it exactly the same as IE5.00 (above), including docsource
AOLpress (HTML editor with built-in browser) sees it exactly the same as OffByOne (above), including docsource
Netscape 4.50 sees http://www.p?ypal.com/ but displays http://www.pypal.com/ in docsource
Firebird 0.7 sees it exactly the same as Moz 1.5 and IE5.00 (above), including docsource
And Mosaic 0.9 can't figure out WHAT to do with the page and wants to save it to disk.
At this point, I ran out of installed browsers.
Re:notepad (Score:3, Informative)
Use the command prompt; by default that wouldn't be able to handle the right characters and should show up as '?'. Actually, I think the default raster font for that just doesn't have the character.
Re:notepad (Score:4, Informative)
IDN support is probably a good thing - we just need a way to show the user the difference between URLs if international characters are used.
Re:notepad (Score:3, Insightful)
Comment removed (Score:5, Informative)
Re:Another IDN bug on Firefox (Score:5, Informative)
Re:Another IDN bug on Firefox (Score:4, Informative)
Re:Another IDN bug on Firefox (Score:3, Interesting)
Then again...I have a nice little solution (quite by accident, in fact it's just due to me not bothering to sort my configuration out) anyway: any character sets not installed (all except the default) show up as a funny little square where the characters would normally be. I'd say that it's a pretty good give away when I've got http://www.p[]ypal.com (or there abouts) showing in the address bar...
Re:Another IDN bug on Firefox (Score:5, Informative)
Re:Another IDN bug on Firefox (Score:5, Insightful)
Re:Another IDN bug on Firefox (Score:5, Insightful)
Re:Another IDN bug on Firefox (Score:5, Insightful)
There are plenty of things people use that they have very little understanding of. They may know the interface of that device or system, but beyond that, it's all a black box to them. Browsers included.
If you go by your statement of "if you don't understand it, don't use it", I'm sure there are plenty of things you can eliminate out of your own life as well.
You're being too elitist (Score:5, Funny)
Uh-oh, looks like my "delete" key stopped working again. Must need another
Re:Another IDN bug on Firefox (Score:3, Insightful)
Re:Another IDN bug on Firefox (Score:5, Informative)
Browsers != Linux.
And it's not FUD - it is an actual problem. It sure tricked Firefox running on my windows machine.
Browsers ~!= Linux (Score:4, Insightful)
If the site spoofed were a trusted site for firefox extensions they could get some code to execute on the box. They could package a root kit and take control of a Linux or Mac, or the Buffer overflow du jour to take control of a Windows machine. Granted the Linux would be the most difficult due the the large variation of distros (and each distro differs on opinion where file belong), compiler options, etc.
For a truly secure OS, you should remove all applications and just run the OS in its pure state.
Re:Another IDN bug on Firefox (Score:2, Informative)
2) Most people don't look at the source code!
3) Hence it is a phishing vulnerability, i.e., masquerade to fool the average user
4) It certainly isn't FUD when your non-geek relative loses a lot of money by one of these phishing attacks
Re:Another IDN bug on Firefox (Score:2, Insightful)
Ah, I get it. When it's about FireFox, it's FUD. When it's about Microsoft, it's just another reason to switch. Am I getting warm?
Are phishers going to bother with this, though? (Score:5, Interesting)
Re:Are phishers going to bother with this, though? (Score:4, Insightful)
All it takes is 1% of the 10 percent.
Re:Are phishers going to bother with this, though? (Score:4, Insightful)
> Are phishers going to bother trying to use this exploit if it works on less than 10% of their potential victims?
They sure are. Think about how many people actually respond to spam messages. It's probably much smaller than 0.01%, but it's still economical enough for the to send out the messages anyway. I'd be fairly confident that the same holds true for phishers, too.
Re:Are phishers going to bother with this, though? (Score:5, Insightful)
Re:Are phishers going to bother with this, though? (Score:3, Informative)
The problem is that the browsers are rendering the address correctly.
The HTML entity а != U+1072. It corresponds to U+0430 CYRILLIC SMALL LETTER A, which it seems most fonts render almost exactly identical to U+0061 LATIN SMALL LETTER A.
It appears the problem is in RFC3491 "Nameprep: A Stringprep Profile for Internationalized Domain Names (IDN)" or RFC3292 "Punycode: A Bootstring encoding of Unicode for Internationalized Domain Names in Applications (IDNA)". As I understand it, one of the proc
Canned Slashdot Response (Score:5, Funny)
So what? (Score:5, Insightful)
Atleast, we can bash FF instead of IE now.
Re:So what? (Score:5, Insightful)
It isn't a fault of the browser or IDNs.
Switch (Score:5, Funny)
IE also fails! (kinda) (Score:5, Informative)
This would actually appear to be a flaw in the Punycode standard rather than the browsers themselves, given that all IDN (internationalized domain name) aware browsers similarly fail.
Looks like someone may have to fix Punycode. Then we can update the browsers. In the mean time perhaps Opera, Firefox, etc. can given some kind of visual notification when Punycode is used, in the same way the URL turns yellow when a secure URL is entered in Firefox.
Unicode has already fixed this problem (Score:5, Informative)
Before resolving, all domain names should be normalized according to normalization form KC. (see http://www.unicode.org/unicode/reports/tr15/ [unicode.org]) Once that's done, anything that looks like an "a" really will be an "a", and not something that looks identical in Cyrillic.
That simple (SIMPLE!) step would avoid this problem, almost completely. There'd still be an issue with people using "paypál" instead of "paypal", but at least then the user has some vague chance of seeing the difference in the URL in the browser window.
It would also be good if responsible registrars refused to accept domain registrations for domains not normalized according to NFKC, but asking companies to refuse business simply because someone else would get hurt is probably not going to be effective.
Re:Unicode has already fixed this problem (Score:3, Interesting)
Re:Unicode has already fixed this problem (Score:4, Interesting)
On the other hand, it would prevent spoofing of Greek names using mu and capital omega, or capital A with ring above, or ff ligatures, since there are characters that have them as compatibility decompositions.
Re:IE also fails! (kinda) (Score:2)
I didn't pass a comment on Firefox being superior (although it is). All I'm saying is that we need to either 'fix' the Punycode system (if this is possible) and/or put a visual clue in the browser when Punycode is being used.
Though why I'm taking the time to respond to a troll I don't know. I must be bored!
Firefox 1.0 (Score:4, Informative)
This isn't a newly discovered exploit. (Score:5, Insightful)
This was a big part of the critisism around supporting larger character sets in domain names.
Re:This isn't a newly discovered exploit. (Score:3, Informative)
I can't be arsed to search for it either.
Justin.
Re:This isn't a newly discovered exploit. (Score:4, Informative)
Incidentally, it seems that Slashdot's ASCII-only URL reporting system successfully deflects such spoofing here: Go to paypal.com [www.p]
Opera won't fix it? (Score:5, Informative)
VI. Vendor Responses
Verisign: No response yet.
Apple: No response yet.
Opera: They believe they have correctly implemented IDN, and will not be making any changes.
Mozilla: Working on finding a good long-term solution; provided clear workaround for disabling IDN.
So, Opera won't fix it? They have a proof of concept, and Opera believe their implementation is correct? Maybe, but they still need to provide an update, and something tells me they will
Re:Opera won't fix it? (Score:5, Insightful)
So it will be quite difficult to fix this without breaking and/or changing the standard.
Re:Opera won't fix it? (Score:2)
Re:Opera won't fix it? (Score:3, Informative)
In case anybody's curious, Opera's broken, too.
I'm really kinda saddened by this. There was an exploit a year or two ago that worked in a similar way. It involved using an @ symbol in the header to disguise the true domain. At the time, Mozilla and IE were absolutely broken in that respect, but Opera
Re:Opera won't fix it? (Score:5, Insightful)
Re:Opera won't fix it? (Score:3, Interesting)
That's strange; I just tried it (in FF/1.0) and it remembered the setting and still had the site fail. Now the site still does render as "http://www.paypal.com/" in the status bar, but when I click on it I get a message saying "http://www.paypal.com/ was n
I'm waiting the patch from MS (Score:5, Funny)
Known for years.... (Score:5, Interesting)
On the other hand, no-one really seems sure of the best way to fix it... One option is obviously to mark somehow when non-ASCII characters are used, but while this will help the people who only want ASCII URLs, it will still leave the problem for everyone who wants to use this extended system, making it effectively useless....
Visual cues could be more refined than that (Score:3, Interesting)
I think you're on the right track here.
Perhaps the best approach is to use a different font/different color for particular ranges of characters, or characters outside of one's local
Flag mixing character groups. (Score:3, Interesting)
So you just need to work off of that strength, and flag when someone's mixed any two groups of characters. (I'm not sure what the official Unicode name is for them
Anyway, you start with the assumption that a domain name is going to contain only characters from one of those groups, and you
IDNs were a bad idea anyway (Score:4, Interesting)
There are so many characters that look alike, that it is trivial to register a domain name that will look the same as another one. Typically the different character would only be recognised by a native that used that character, although using it alongside normal English characters would probably throw them off as well.
Solution? Maybe an "IDN" icon in the URL bar, or a warning if an IDN uses a mixture of normal English characters with some foreign characters in an IDN.
Stop obsessing over Microsoft, please. (Score:2, Insightful)
IE wasn't relevant to this article, yet you found a way to wedge it in and smear it regardless.
The browsers the exploit WAS found for weren't even mentioned by name, yet IE was.
How is this anything except nasty propaganda?
Propaganda (Score:2, Informative)
Propaganda definition (Score:3, Informative)
This can apply to any time anyone says anything. However, in practice, the word "propaganda" is only used when someone does not like being said. It is similar to "rhetoric" in this regard.
Re:Stop obsessing over Microsoft, please. (Score:5, Insightful)
What about to the people who have the plugin for IDN? This is a place for geeks, and there are bound to be people that have that sort of plugin. Saying IE isn't affected is pretty much false in that light.
network.enableIDN doesn't fix things (Score:5, Informative)
Comment removed (Score:5, Informative)
Not Lynx (Score:4, Interesting)
It doesn't seem to work with Lynx, either. The URLs are obviously different from what they're supposed to be, and they don't point to any site at all.
Lynx does try the URL, though, so it may be possible to set up another domain to catch it, but the URL would still be obviously wrong (something like p%a%y%p%a%l.com)
Spoofstick plugin (Score:2)
This is defeated as well. Normally, you see the real domain name in Spoofstick under Firefox on Windows. As another poster stated, you do indeed briefly see the real URL in the status bar.
ICANN is worried too (Score:5, Informative)
Re:ICANN is worried too (Score:3, Informative)
Strength from weakness (Score:3, Funny)
IE is safer because it doesn't support a feature? Don't worry, I'm sure the plug-in will be installed with the next security update!
konqueror (Score:3, Informative)
Character apparances (Score:3, Insightful)
I thought this was a well-known attack -- using Unicode characters that look like latin but aren't. As more and more web sites start accepting unicode in user names without policing, I think we'll find more interesting applications for this type of attack.
This is not that different from "spoofing" using this address:
http://www.paypaI.com [paypai.com] I.e. replacing the lower-case L with an upper-case i. (except that paypai.com appens to be taken already, by an annoying site that maximizes the browser window no less.)
New Microsoft Security Mantra (Score:2, Funny)
Not all non-IE browsers (Score:3, Insightful)
Rebuttals (Score:5, Funny)
Douglas Hofstadter: When an A is not an A (Score:5, Interesting)
In the case of this exploit, a deep flaw in IDN and computer fonts means that character #1072 is rendered typographically as an "a". The irony is that this is one of the few cases in which a computer can readily tell the difference between "a" and #1072 and a person cannot. The only solution would be rules that prohibit isomorphic characters in typefaces or a in-browser warning system that analyses the potential for ambiguity and alerts the user.
misleading commentary (Score:4, Insightful)
While it may be technically true, it's like suggesting Firefox is susceptible to IE's infamous ActiveX vulnerabilities, just because there's an ActiveX plugin for Firefox too. Everyone is quick to jump on MS when there's new IE exploits, but we've got to accept that this seems to be one they got right. Making excuses about plugins doesn't really change that.
Re:misleading commentary (Score:3, Insightful)
The issue at hand here is that Firefox did not create IDN. Microsoft _did_ create ActiveX. The blame falls in both cases on Microsoft for being slow to implement something and absolutely ignorant to create ActiveX.
In other words, i
Re:misleading commentary (Score:3, Insightful)
IDN pain in the but anyway (Score:5, Informative)
Exploits (Score:3, Insightful)
Well, if we're going to disregard them on those grounds, we might as well disregard ActiveX exploits too (since FireFox doesn't support it). An exploit is an exploit. Don't play the game of justification.
p.s. I use Firefox.
Bug in browser, or in Unicode? (Score:3, Insightful)
This seems to be more of a bug in Unicode than in the browsers. Unicode has defined multiple character codes as having the exact same glyph. I thought we'd already run into this in Unicode with multiple long representations of the same character, decided it was a bad thing and corrected it by making any representation longer than the shortest illegal. Shouldn't we do the same thing here, and simply make it illegal to have multiple character codes appearing as the same glyph?
Previous Slashdot article (Score:3, Informative)
LiveHeaders on FF (Score:3, Interesting)
Looks like I'll have to use that to double check now. Still safer that IE.
Talk About Asking For Trouble (Score:3, Insightful)
On one hand, we (the
Don't get me wrong, I'm all about Firefox, but we can't get lazy.
Re:Call me a flamer.... errr (Score:3, Insightful)
Re:IE and Firefox (Score:3, Informative)
Re:Bug or feature? (Score:4, Insightful)
Do tell me when you became the world. Just because you personally likely won't use a feature doesn't mean it isn't useful for someone out there (what's the population of China and Japan combined?)
Re:How to fix it in Firefox (Score:3, Informative)
Doesn't work so well now, does it?
This fact (IMHO) is more dangerous than not being able to make the setting at all. At least with Safari (et al) I know that I always have to be vigilant, instead of being lulled into a false sense of security.
Clearly, Firefox has a major BUG in it. Fortunately, they seem to be pretty quick to fix these sort of things.
Re:Why? (Score:3, Insightful)
Can anyone please tell me why people "hack" or "phish" or anything that is used for malicious activity? I'm not trying to start an argument, I seriously want to know why some people spend so much time trying to make others lives miserable.
Money.
Think for a minute why it would be beneficial to the bad guys to have people logging into their site with valid PayPal usernames and passwords.