Shmoo Group Finds Exploit For non-IE Browsers

shut_up_man writes "Saw this on Boing Boing: East coast hacker con Shmoocon ended today and they had a nasty browser exploit to show off... using International Domain Name (IDN) character support to display fake domain names in links and the address bar. Their examples use Paypal (with SSL too) and this looks very useful for phishing attacks. Interesting note that it works in every browser *except* IE (which makes this exploit a lot less dangerous in the end, I suppose)."v The reason IE isn't vulnerable is because it doesn't natively support IDN; with the right plug-in, it too is vulnerable.

Another IDN bug on Firefox

[IO+ERROR]

When trying this out on Firefox on Linux, I noticed that the URL in the address bar is rendered two or three pixels lower than normal. If you're paying close attention, this is easy to spot. Also, the "real" URL appears in the status bar while the spoofed page is being loaded, i.e. "Looking up www.xn--pypal-4ve.com..."

To disable IDN as a workaround for this problem (on Gecko-based browsers): hit about:config and set network.enableIDN to false.

Re:Another IDN bug on Firefox

[vivin]

Who says this is a Linux vulnerability? This is a browser vulnerability.

Browsers != Linux.

And it's not FUD - it is an actual problem. It sure tricked Firefox running on my windows machine.

Re:Another IDN bug on Firefox

[Troed]

Works 100% as advertised in Opera. No easy way to spot it's fake.

On the other hand, this is nothing new. This was predicted a long time ago when debating on how to handle websites with charactersets incompatible with the ones used in Western countries ..

Re:Another IDN bug on Firefox

1) It isn't a Linux vulnerability, it is an IDN phishing vulnerability that affects Firefox amongst other browsers
2) Most people don't look at the source code!
3) Hence it is a phishing vulnerability, i.e., masquerade to fool the average user
4) It certainly isn't FUD when your non-geek relative loses a lot of money by one of these phishing attacks

Re:Another IDN bug on Firefox

[squiggleslash]

Just tried it on Safari, and unfortunately none of the "bugs" that occur in Firefox that give the game away are present. Mouseover looks like Paypal. Connecting message shows nothing untoward. Renders as "www.paypal.com" in the regular font and location on the URL bar.

I wonder if there's a quick and easy fix for this for Safari users, like there is for Firefox (about:config, network.enableIDN -> false.)

Re:Another IDN bug on Firefox

[duvie]

One: the setting of enableIDN to false appears to have NO effect.

Two: The only way to see that you are not at paypal (unless you notice the flash-by in the status bar) is to look at the certificate details. For the POC site, the certificate was issued to "www.xn--pypal-4ve.com"

We all read those certs every time, neh?

Re:Another IDN bug on Firefox

[Digitalia]

That did not work for me. Upon disabling IDN, I went back and tried the link again. It was still spoofed.

Re:Another IDN bug on Firefox

[finkployd]

To disable IDN as a workaround for this problem (on Gecko-based browsers): hit about:config and set network.enableIDN to false.

That is a great suggestion, except for the part where it does not work.

Go ahead, make the change, then restart your browser. Now go look at about:config again. Yup, still set to false. Now go see if it the setting worked. It does not. So at least with Firefox 1.0 just took a bad situation and made it worse. Now people will think turning off this setting will actually accompolish something and protect them and it will not.

Finkployd

Re:Another IDN bug on Firefox

[aWalrus]

It worked for me (firefox in OS X). What it does is fix the lookup, not the display, so the links will still look as they did, but when you click on them it says "domain not found"

Re:Another IDN bug on Firefox

[hcdejong]

That's assuming "people" understand HTML. Hint: Most computer users don't.

Re:Another IDN bug on Firefox

[Aeiri]

Ahh you stupid Slashdot parsing engine!

Looks like "https://www.pypal.com/"

That should be:
Looks like "https://www.p[weirdchineselookingcharacterwithabo xaroundit]ypal.com/"

...and now I have to wait two minutes to post this and correct myself, great...

Re:Another IDN bug on Firefox

[That's+Unpossible!]

Go ahead, make the change, then restart your browser. Now go look at about:config again. Yup, still set to false. Now go see if it the setting worked. It does not.

WFM. I am unable to visit those links after disabling IDN. This is because the browser is no longer translating the name to the Punycode format that the IDN DNS system requires, therefore the lookup fails.

Perhaps your cache setting is fucked.

Re:Another IDN bug on Firefox

[AstroDrabb]

One: the setting of enableIDN to false appears to have NO effect.

Are you using Firefox 1.0? I set enableIDN to false and now if I click any of the spoof links, I instantly get a "www.paypal.com could not be found" alert.

Re:Another IDN bug on Firefox

[double-oh+three]

And when this was presented at Shmoocon they mentioned that, IIRC they said that it was first thought up in 2001. Safari's fooled too, with the source code thing not apparently working. However if you try to save the page the international characters will disappear from the filename.

Re:Another IDN bug on Firefox

[AstroDrabb]

Hmm, I stand corrected. Setting enableIDN and then testing worked right away for me. Until I restarted my browser. About:config still shows enableIDN set to false, but the spoof works again. However, if I go back into about:config and reset enableIDN to false, it again stops the spoof.

Maybe it is a problem in the Firefox startup code not setting enableIDN properly.

Re:Another IDN bug on Firefox

[AstroDrabb]

Restart you browser and then try again. I thought it was working until a restart of Firefox and it appears that the Firefox startup code doesn't properly set enableIDN based on your profile settings. As soon as you restart, the spoof works again. However, go into about:config and you will see that enableIDN is still set to false, so toggle it to true and then false again and the spoof won't work. Rinse, repeat.

Re:Another IDN bug on Firefox

[Zocalo]

Well, changing the actual setting via about:config works OK for me with Firefox 1.0 on both MS Windows XP and Fedora Core 3 (both fully patched). However, even with IDN supposedly disabled in Firefox clicking on the links still takes me to the spoofed version of Paypal on both links, and I'm not seeing any of the URL bar glitches either. More worryingly, on the HTTPS site, the domain is also given as "www.paypal.com" by the padlock icon; you have to double click on the padlock and then view the certificate before you finally see that the site is actually "www.xn--pypal-4ve.com".

Re:Another IDN bug on Firefox

[strider44]

It's obvious without even looking for it on my 1280x1024 low-size font resolution. However most users will just think "that's odd" and not take any precautions.

Re:Another IDN bug on Firefox

[finkployd]

Uh huh, try restarting your browser and going back. With mine (Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0) I get the meeow paypal page even though about:config shows the setting is still set to false.

Frightening to see this kind of bug in Firefox, I hope it is fixed soon.

Finkployd

Re:Another IDN bug on Firefox

[bunratty]

It still worked after restarting my browser using a recent trunk build of Mozilla on Windows XP. Try a recent trunk nightly build of Firefox and see if it works after restart.

Re:Another IDN bug on Firefox

[bahamat]

It was probably cached, which does nothing to help anyone. Any user no matter how long they've been using computers is apt to think that disabling it will make a difference right away. I've been developing websites for close to 10 years, and browser cache is the biggest thorn in my side in that area.

While you can view the certificate in Firefox, it takes a whopping 4 clicks to get the info that shows the page is bogus (double click the lock icon, click security tab, click view cert). The average user will never find it. Even the above average users will be thrown by the General tab which shows the spoofed URL as though it were the real one. If they don't actively hunt down all indications that a site may be spoofed, they're going to be fooled.

What's worse, is that Safari doesn't even give the option to view certificates that it thinks are valid (not expired and signed by a valid root CA).

Ouch.

Re:Another IDN bug on Firefox

[bunratty]

This has been reported as bug 281377.

Re:Another IDN bug on Firefox

[networkBoy]

It works _until_ you restart fool.
-nB

Re:Another IDN bug on Firefox

I.E has got a similar security flaw (ability to display any URL in the address bar, but have the content load from a different website) the I.E "bug" has been known about since december but not yet been fixed, its documented here: http://secunia.com/internet_explorer_cross-site_sc ripting_vulnerability_test/

IE also fails! (kinda)

[grandmofftarkin]

The first thing I did was fire up IE (a rare occurrence) and test this. IE also failed (for me). Then I remembered that I have the i-Nav plug-in installed. Granted, this isn't actually a fault of IE then but rather the plugin. Though it should be noted that IE is only spared because (in it's default configuration, i.e. without the plugin) it doesn't support standards. In this case that standard is Punycode.

This would actually appear to be a flaw in the Punycode standard rather than the browsers themselves, given that all IDN (internationalized domain name) aware browsers similarly fail.

Looks like someone may have to fix Punycode. Then we can update the browsers. In the mean time perhaps Opera, Firefox, etc. can given some kind of visual notification when Punycode is used, in the same way the URL turns yellow when a secure URL is entered in Firefox.

Firefox 1.0

[rubypossum]

If you "View Source" for some weird reason the real address shows up in the title bar.

Opera won't fix it?

[MoonFog]

From the text:
VI. Vendor Responses

Verisign: No response yet.
Apple: No response yet.
Opera: They believe they have correctly implemented IDN, and will not be making any changes.
Mozilla: Working on finding a good long-term solution; provided clear workaround for disabling IDN.

So, Opera won't fix it? They have a proof of concept, and Opera believe their implementation is correct? Maybe, but they still need to provide an update, and something tells me they will .. eventually.

Re:Opera won't fix it?

[NanoGator]

"So, Opera won't fix it? They have a proof of concept, and Opera believe their implementation is correct? Maybe, but they still need to provide an update, and something tells me they will .. eventually."

In case anybody's curious, Opera's broken, too.

I'm really kinda saddened by this. There was an exploit a year or two ago that worked in a similar way. It involved using an @ symbol in the header to disguise the true domain. At the time, Mozilla and IE were absolutely broken in that respect, but Opera was nice enough to put up a friendly message saying "Are ya sure you want to enter this particular domain?" (Kinda necessary, those @ symbols are useful.) Guess I just kinda expected more from Opera in this respect.

network.enableIDN doesn't fix things

[openSoar]

The 'fix' they mention (setting network.enableIDN to false via about:config) only works until you restart the browser - when you reopen the browser, things are back to the same even though the setting is still false..

Re:network.enableIDN doesn't fix things

[finkployd]

I was fully prepared to test this myself, find out you were either full of it (or a troll), and let /. know you were wrong.

My plan was going perfectly, right up to the point where what you said turned out to be 100% correct :(

Shame on Firefox for taking a bad situation and making it worse. If about:config reports that a security related setting is X when in fact it is Y, this is worse than not providing a fix at all. A false sense of security (from a browser that is supposed be better) is worse than being aware of the security problems and reacting accordingly.

Finkployd

ICANN is worried too

[Peter_Pork]

From ICANN's log:

There are many technical problems with this change. It essentially undermines IDNA, which is now on standards track, by adding a level of guessing to the DNS that IDNA is explicitly designed to avoid. Further, it makes it appear that IDNs are only useful in domain names for web sites (and only for sites in .com and .net), and only at the second level. VGRS has said that their plug-in will not work with most of the ccTLDs, for example.

For example, if you enter .com in Internet Explorer for Windows, where "" is the single hex octet 0xE5, you see the screen shown in the attached file called "[lynn-message-to-iab-06jan03-]e5.tif". (Sorry about the TIFF image, but it's the only reliable format for PC screen dumps.) As you can see, VGRS makes wild guesses about what the user wanted, some of which are very clearly impossible. Worse yet, they do not include all of the legal guesses that they could have made. And, just to make it completely confusing to the user, not all of the choices work.

The DNS is not supposed to be a best-guess service, yet VGRS has turned .com and .net into this just before IDNA is to be an RFC. VGRS should not be allowed, through its monopoly on the .com and .net gTLDs, to destroy the coherence of the DNS for its own short-term profit. ICANN should demand that VGRS immediately stop giving incorrect answers to any query in .com and .net, and should instead follow the IETF standards. If VGRS refuses, ICANN should re-delegate the .com and .net zones to registries that are more willing to follow the DNS standards.

See this also.

Re:ICANN is worried too

[gowen]

Neither of those are about this concern (homographs between Cyrillic and Latin alphabets). That's a concern about Verisign using non-IDN methods to do DNS-lookups, and (like the late, unlamented SiteFinder) doing fuzzy matches in the case of unrecognised UTF domain names.

Propaganda

[AtariAmarok]

"Propaganda" being anything someone says that you do not like. Mentioning IE is quite relevant. My first thought on reading such a thing is its status in regards to MSIE. Also, in case you have not heard before, MSIE has a reputation for being subject to such exploits in the past.

konqueror

[j0nb0y]

I've confirmed that konqueror is vulnerable. Anyone know how to disable this in konqueror?

notepad

[leuk_he]

If i copy /paste the link into notepad it just looks right And if i copuy /past it back to firefox i get the "spoofed" page back again.

next:

Trolls can have a couple of days fun on slashdot.

And verisign van sell a lot of domains to phishers. (profit!)

Re:notepad

[Myen]

Probably depends on Windows version - on 2k/XP at least, Notepad is a Unicode app and can handle non-ASCII characters; not the case in 9x.

Use the command prompt; by default that wouldn't be able to handle the right characters and should show up as '?'. Actually, I think the default raster font for that just doesn't have the character.

Re:notepad

[kerrle]

Microsoft didn't "get something right", they just don't support the feature that this takes advantage of.

IDN support is probably a good thing - we just need a way to show the user the difference between URLs if international characters are used.

Propaganda definition

[AtariAmarok]

"the systematic propagation of a doctrine or cause or of information reflecting the views and interests of those advocating such a doctrine or cause,"

This can apply to any time anyone says anything. However, in practice, the word "propaganda" is only used when someone does not like being said. It is similar to "rhetoric" in this regard.

"Shmoo" didn't find anything.

[baafie]

Shmoo Group Finds Exploit For non-IE Browsers

Actually, they didn't find anything. They demonstrated how the IDN character support could be used to trick users. A virtually identical demonstration can be found in the original paper/advisory. Thanks for the FUD, slashdot editors.

Furthermore, whether this is actually an exploit or not remains a subject of debate, as is evident from Opera's response ("It's implemented properly"). Fact remains that people can be fooled, though.

IDN pain in the but anyway

[spectrokid]

Here in Scandinavia, the letters Å,Æ,Ø, are actually quite new. It is acceptable to spell them as AA, AE and OE respectively on non-scandinavian keyboards. With IDN adresses now becomming available, you constantly have to remember which spelling is used on which website. It would be a hell of a lot more practical if only the 26 alphabeth was used and software would automatically expand ingeniøren.dk to ingenioeren.dk. This way you could use whatever you want. And websites will not be too happy about using special characters, because it makes them almost impossible to reach on non-scandinavian computers.

Re:IE and Firefox

[Mattcelt]

Spoofstick is a useful tool, too. I don't know if it protects against this particular attack, but it's good for the casual browser (i.e., mom/aunt gert/the cranky old guy down the street who always asks for computer help) to help protect against phishing.

Re:This isn't a newly discovered exploit.

[aug24]

You're right - the example from a couple of years ago was using www.microsoft.com but with the Os in microsoft being a russian character that is drawn identically.

I can't be arsed to search for it either.

Justin.

Re:How to fix it in Firefox

[NtroP]

Yeah. Now quit Firefox and restart it.

Doesn't work so well now, does it?

This fact (IMHO) is more dangerous than not being able to make the setting at all. At least with Safari (et al) I know that I always have to be vigilant, instead of being lulled into a false sense of security.

Clearly, Firefox has a major BUG in it. Fortunately, they seem to be pretty quick to fix these sort of things.

Re:This isn't a newly discovered exploit.

[mithras+the+prophet]

Here's the earlier article: Spoofing URLs With Unicode. Summary:

"Scientific American has an interesting article about how a pair of students at the Technion-Israel Institute of Technology registered "microsoft.com" with Verisign, using the Russian Cyrillic letters "c" and "o". Even though it is a completely different domain, the two display identically (the article uses the term "homograph"). The work was done for a paper in the Communications of the ACM (the paper itself is not online). The article characterizes attacks using this spoof as "scary, if not entirely probable," assuming that a hacker would have to first take over a page at another site. I disagree: sending out a mail message with the URL waiting to be clicked ("Bill Gates will send you ten dollars!") is just one alternate technique. While security problems with Unicode have been noted here before, this might be a new twist."

Incidentally, it seems that Slashdot's ASCII-only URL reporting system successfully deflects such spoofing here: Go to paypal.com

Unicode has already fixed this problem

[fizbin]

There is already a fix for this IDN problem in the unicode spec, if people would just use it:

Before resolving, all domain names should be normalized according to normalization form KC. (see http://www.unicode.org/unicode/reports/tr15/) Once that's done, anything that looks like an "a" really will be an "a", and not something that looks identical in Cyrillic.

That simple (SIMPLE!) step would avoid this problem, almost completely. There'd still be an issue with people using "paypál" instead of "paypal", but at least then the user has some vague chance of seeing the difference in the URL in the browser window.

It would also be good if responsible registrars refused to accept domain registrations for domains not normalized according to NFKC, but asking companies to refuse business simply because someone else would get hurt is probably not going to be effective.

Re:Bug in browser, or in Unicode?

The short answer is no. If you start taking away this feature from browser, non-Latin named domain owners will complain (yes, they do exist). The Unicode problem has more to do with the fact that many browsers only check for canonical equivalents for Latin-based code points, not Russian, Chinese, or any other languages. And yet, canonical equivalents for these characters have existed in Unicode standard for a long time. Grapheme cluster equivalence though, is very tricky to implement, which may never be implemented in most software, not just browsers.

Previous Slashdot article

[rsteele19]

Slashdot has covered this problem before.

Re:Typing foreign characters

[greed]

However on the subject of typing: the real problem is that typing foreign characters is insanely hard in every OS out there.

This is strongly dependent on both the language and OS in question. For example, Japanese input methods work very well on US keyboards; you key in romaji, and the input method converts it to hirigana or katakana on the fly. When you hit space, a menu of kanji with the given reading is presented. Space again picks the first one, or cursor up/down before hitting space to pick another.

This is apparently a quite common input method, as a Japanese friend who had never used a Mac told me how to use OS X's input method.

The dead keys on Mac OS for Western European languages are also quite easy to get used to. (The AltGr thing on X11 I'm not so fond of.)

But, of course, most Scandinavian users (referring to the grandparent post) will have Scandinavian keyboards, and they aren't entering foreign language sites, they're going to sites in their native languages.

A few more browser tests (and IE *is* affected)

[Reziac]

Where "sees" means "displays it this way on the status line":

Netscape 3.04 sees http://www.p?ypal.com/ -- looks the same in docsource

OffByOne 3.4a sees http://www.p0ypal.com/ -- looks the same in docsource

K-Meleon 0.9 sees http://www.p?ypal.com/ -- looks like http://www.pypal.com/ in docsource

IE 5.00.2314.1003 (yes, minor builds can make a *big* difference in how IE displays stuff) sees it as http://www.paypal.com/, but the "a" is about half normal size (this is at 1024x768). Docsource as IE feeds it to notepad looks like http://www.pypal.com/

Mozilla 1.5 sees it exactly the same as IE5.00 (above), including docsource

AOLpress (HTML editor with built-in browser) sees it exactly the same as OffByOne (above), including docsource

Netscape 4.50 sees http://www.p?ypal.com/ but displays http://www.pypal.com/ in docsource

Firebird 0.7 sees it exactly the same as Moz 1.5 and IE5.00 (above), including docsource

And Mosaic 0.9 can't figure out WHAT to do with the page and wants to save it to disk.

At this point, I ran out of installed browsers. :)

Re:This is a really old spoof

[aneroid]

u mean this?

<o:LastSaved>2002-01-31T17:32:00Z</o:LastSaved>

(dated feb 2002)

Its not a BUG!

[maxkueng]

As I see it, it is not a bug. International Domain Names are a standatd sind a while, already. The only problem is that some unicode characters look exactly like some UTF-8 characters and because of that, people can be "cheated".

But who needs IDNs??
In Mozilla/Firefox and maybe also in Thunderbird (if you download the about:config extension) IDNs can be disabled by using the about:config thingie.

Open your Gecko based brwoser and type "about:config" (without the quotes) and hit return. Search for "network.enableIDN" (without the quotes) and set it to "false" (without the quotes).

--
Max

Re:Are phishers going to bother with this, though?

[cortana]

The problem is that the browsers are rendering the address correctly.

The HTML entity &#1072; != U+1072. It corresponds to U+0430 CYRILLIC SMALL LETTER A, which it seems most fonts render almost exactly identical to U+0061 LATIN SMALL LETTER A.

It appears the problem is in RFC3491 "Nameprep: A Stringprep Profile for Internationalized Domain Names (IDN)" or RFC3292 "Punycode: A Bootstring encoding of Unicode for Internationalized Domain Names in Applications (IDNA)". As I understand it, one of the processes these RFCs describe involve a sanitisation process to be carried out on domain names, that fixes cases where an attacker is using odd unicode control characters to make one character appear like another.

The problem is that these procedures overlooked U+0430 CYRILLIC SMALL LETTER A (and perhaps others?).

So I suggest flagging the address field with a red tint when such characters are discovered as a work around, until the clever people who write RFCs come up with a good idea of how to proceed.

More info on this blog, if you are interested.

browser doesn't need to run as root

[willCode4Beer.com]

Generally, these are tools (run as a regular user) to gain root access by exploiting things on the local box that are not accessible via the network. Espicially programs running with the suid bit (cron anyone?)
If you run linux you will normally see many frequent security patches to protect *local* programs from just such exploits.