Shmoo Group Finds Exploit For non-IE Browsers

shut_up_man writes "Saw this on Boing Boing: East coast hacker con Shmoocon ended today and they had a nasty browser exploit to show off... using International Domain Name (IDN) character support to display fake domain names in links and the address bar. Their examples use Paypal (with SSL too) and this looks very useful for phishing attacks. Interesting note that it works in every browser *except* IE (which makes this exploit a lot less dangerous in the end, I suppose)."v The reason IE isn't vulnerable is because it doesn't natively support IDN; with the right plug-in, it too is vulnerable.

So what?

This isn't per-se a browser fault, it is more of a flaw in the IDN system.

Atleast, we can bash FF instead of IE now.

Re:So what?

[kimba]

It isn't even that. It is a fundamental side-effect with the the notion of internationalization, and the fact cyrillic and latin (and others) share the same letters. More specifically you may consider it can be pinned on the way Unicode enumerates characters (by giving different code points to letters rendered the same).

It isn't a fault of the browser or IDNs.

This isn't a newly discovered exploit.

[tgd]

I can remember discussions about it years ago. I'd bet there may even be a /. article about it, although its not really worth searching to see.

This was a big part of the critisism around supporting larger character sets in domain names.

Stop obsessing over Microsoft, please.

The reason IE isn't vulnerable is because it doesn't natively support IDN; with the right plug-in, it too is vulnerable.

IE wasn't relevant to this article, yet you found a way to wedge it in and smear it regardless.

The browsers the exploit WAS found for weren't even mentioned by name, yet IE was.

How is this anything except nasty propaganda?

Re:Stop obsessing over Microsoft, please.

[strider44]

IE wasn't relevant to this article, yet you found a way to wedge it in and smear it regardless.

What about to the people who have the plugin for IDN? This is a place for geeks, and there are bound to be people that have that sort of plugin. Saying IE isn't affected is pretty much false in that light.

Re:Another IDN bug on Firefox

[drinkypoo]

I hope you do realize that on most computers, if the view source tool has ever been used, it was because the user hit it accidentally while trying to access another menu item or key combination...

Re:Another IDN bug on Firefox

[Tetsugaku-San]

yeah, cos we ALL watch that stuff - and my monitor is at 320x200 so 3 pixels out is easy to spot . . . .

Re:Another IDN bug on Firefox

Firefox 1.0 on Windows with IDN off and a cleared cache is still affected (even after a restart of firefox).

Re:Opera won't fix it?

[Wudbaer]

The problem is not their implementation, which is likely correct. The problem is that the standard is "wrong" is this respect.

So it will be quite difficult to fix this without breaking and/or changing the standard.

Character apparances

[remahl]

I thought this was a well-known attack -- using Unicode characters that look like latin but aren't. As more and more web sites start accepting unicode in user names without policing, I think we'll find more interesting applications for this type of attack.

This is not that different from "spoofing" using this address:

http://www.paypaI.com I.e. replacing the lower-case L with an upper-case i. (except that paypai.com appens to be taken already, by an annoying site that maximizes the browser window no less.)

Re:Are phishers going to bother with this, though?

[AbbyNormal]

Cmon. We are all touting Firefox to be the next "Greatest" thing since sliced bread. I have it installed on most of my family's machines. What now when M$ turns this around and says: "See? Only MS prevented this flaw because of our proprietary tested..bla blah".

All it takes is 1% of the 10 percent.

Not all non-IE browsers

[P-Nuts]

Links is unaffected - it goes to the real paypal site.

Re:Are phishers going to bother with this, though?

[moon-monster]

> Are phishers going to bother trying to use this exploit if it works on less than 10% of their potential victims?

They sure are. Think about how many people actually respond to spam messages. It's probably much smaller than 0.01%, but it's still economical enough for the to send out the messages anyway. I'd be fairly confident that the same holds true for phishers, too.

Re:Opera won't fix it?

[TheIndividual]

Well it isn't really a bug. Their implementation is correct it just suffers a flaw that IDN introduced. So from a technical point of view, the browser does what it is supposed to do. However it would be nice to see them implement some kind of protection against unicode letters looking like ASCII-letters. A warning popup or colour coding of those letter maybe.

Re:Another IDN bug on Firefox

[NanoGator]

"This is just more FUD people"

Ah, I get it. When it's about FireFox, it's FUD. When it's about Microsoft, it's just another reason to switch. Am I getting warm?

Talk About Asking For Trouble

[sp3c1alK]

Comments like this worry me. We really have to be careful about letting our guard down just because Firefox is more secure. The whole point of the article is that the exploits DO exist.

On one hand, we (the /. community) love to talk about how Firefox's market share is growing quickly but then minimize potential problems. So how is this problem 'less dangerous than some IE exploits'?

Don't get me wrong, I'm all about Firefox, but we can't get lazy.

Re:Call me a flamer.... errr

[wed128]

Maybe one language is a little bit overkill. How about limiting it to one char. set?

misleading commentary

[jaiyen]

This will probably lose me major karma for going against groupthink, but the statement that "The reason IE isn't vulnerable is because it doesn't natively support IDN; with the right plug-in, it too is vulnerable." does seem ridiculously biased.

While it may be technically true, it's like suggesting Firefox is susceptible to IE's infamous ActiveX vulnerabilities, just because there's an ActiveX plugin for Firefox too. Everyone is quick to jump on MS when there's new IE exploits, but we've got to accept that this seems to be one they got right. Making excuses about plugins doesn't really change that.

Re:misleading commentary

[HolyCoitus]

A standard for accessing international websites using special characters is not comparable to a programming language that is horribly designed. Are you suggesting that dragging your feet for five years before implementing a standard some feel is required is proper security?

The issue at hand here is that Firefox did not create IDN. Microsoft _did_ create ActiveX. The blame falls in both cases on Microsoft for being slow to implement something and absolutely ignorant to create ActiveX.

In other words, if there is a spoofing exploit in css3 and Microsoft has not implemented it, is it the people who implemented it who are at fault or the people who created it? You're looking towards the wrong people for this problem I believe.

Re:misleading commentary

[runderwo]

This is a vulnerability in a standard, not in any particular browser. If IE implemented this standard (which it does, with a plugin), it would suffer similarly.

Re:Another IDN bug on Firefox

[stuntpope]

Blame the stupid user because they don't read the source for every web page they go to? Come on. Are you, the highly intelligent informed user, going to start doing that now, even though there are no visual cues on the rendered page that something is amiss?

Re:network.enableIDN doesn't fix things

[sabit666]

Totally untrue. What version of FF are you using?

Re:Another IDN bug on Firefox

[Ced_Ex]

I suppose you understand how pharmaceuticals fully interact with your body? Or I suppose you fully understand every working part in your car?

There are plenty of things people use that they have very little understanding of. They may know the interface of that device or system, but beyond that, it's all a black box to them. Browsers included.

If you go by your statement of "if you don't understand it, don't use it", I'm sure there are plenty of things you can eliminate out of your own life as well.

Re:Another IDN bug on Firefox

[drinkypoo]

Uh, guess what, most people don't understand what goes on inside an ATM. Almost no one (statistically) knows what goes on inside their engine, let alone their PCM. Most people don't even understand what all is involved in water getting to their house. Does that mean no one should use an ATM, drive a car, or turn on the faucet? Expecting users to know how HTML works before they surf the web is like expecting them to be an architect before they enter a building.

Re:Are phishers going to bother with this, though?

[double-oh+three]

The fix is simple for this(for firefox at least), just have a little bar appear at top(like the popup one) and have a message saying that there are international characters in the address. Have a button with a link to the non-international charactered page. There's no reason to kill international character support, just make it so that the user is warned.

Re:Spin again

Slashdot puts a negative spin on a piece that would otherwise put Microsoft in a positive light.

Wrong. IDN is supposed to be a standard. IE does not support it, but this is not really a positive thing.

Note that IE (just like the other browsers) does not do anything to warn you when you are going to www.paypaI.com instead of www.paypal.com. This is exactly the same old trick as the one described in this advisory, except that it relies on similarities between ASCII characters (capital i and l) instead of ASCII vs non-ASCII characters.

Re:Bug or feature?

[Dionysus]

Do tell me how am I going to have to type in a Chinese or Japanese domain name if I don't have keyboard layout (not to mention that I amy not even know *how* to input all these gliphs...).

Do tell me when you became the world. Just because you personally likely won't use a feature doesn't mean it isn't useful for someone out there (what's the population of China and Japan combined?)

A Possible Temporary Browser Solution

[ehlertjd]

A temporary browser solution would be to detect links that use mixed unicode character sets, and keep the user from left-clicking to follow offending links and possibly even changing the mouse cursor. Then in a context menu, it should display the actual domain name.
i.e.

> Go To www.paypal.com (www.xn--pypal-4ve.com)
> Help (explain why the link was disabled)

Re:Another IDN bug on Firefox

[Ulven]

Looking at the source would get a little tedious if one has to do it before clicking on every single link.

Exploits

[Novous]

>The reason IE isn't vulnerable is because it doesn't natively support IDN; with the right plug-in, it too is vulnerable.

Well, if we're going to disregard them on those grounds, we might as well disregard ActiveX exploits too (since FireFox doesn't support it). An exploit is an exploit. Don't play the game of justification.

p.s. I use Firefox.

Browsers ~!= Linux

[willCode4Beer.com]

Although not a Linux, Windows, or Mac vulnerability, it could become one.

If the site spoofed were a trusted site for firefox extensions they could get some code to execute on the box. They could package a root kit and take control of a Linux or Mac, or the Buffer overflow du jour to take control of a Windows machine. Granted the Linux would be the most difficult due the the large variation of distros (and each distro differs on opinion where file belong), compiler options, etc.

For a truly secure OS, you should remove all applications and just run the OS in its pure state.

Firefox 1.0.1

[starwed]

Has anyone checked to see if this exploit is possible in the recent 1.0.1 builds? Presumably they contain security fixes... perhaps for this issue among whatever others exist.

Bug in browser, or in Unicode?

[Todd+Knarr]

This seems to be more of a bug in Unicode than in the browsers. Unicode has defined multiple character codes as having the exact same glyph. I thought we'd already run into this in Unicode with multiple long representations of the same character, decided it was a bad thing and corrected it by making any representation longer than the shortest illegal. Shouldn't we do the same thing here, and simply make it illegal to have multiple character codes appearing as the same glyph?

Re:Why?

[jdludlow]

Can anyone please tell me why people "hack" or "phish" or anything that is used for malicious activity? I'm not trying to start an argument, I seriously want to know why some people spend so much time trying to make others lives miserable.

Money.

Think for a minute why it would be beneficial to the bad guys to have people logging into their site with valid PayPal usernames and passwords.

Re:notepad

[AmberBlackCat]

Perhaps refraining from adding a feature until it can be done right could be considered "getting something right". And it would be easy to change "Microsoft got something right" to "Everybody except Microsoft got something wrong". But I would agree that in this case Microsoft didn't make their browser safer through actual thought. They just got lucky.

Re:Another IDN bug on Firefox

[metamatic]

Yes, RISKS digest warned about this well over a year ago when IDN was being discussed.

Obviously, everyone went ahead and implemented IDN anyway, without fixing the problem. I mean, this is the computer industry after all...