Slashdot Mirror

← Back to Stories (view on slashdot.org)

Shmoo Group Finds Exploit For non-IE Browsers

Posted by Hemos on from the even-mozilla-is-guilty dept.

shut_up_man writes "Saw this on Boing Boing: East coast hacker con Shmoocon ended today and they had a nasty browser exploit to show off... using International Domain Name (IDN) character support to display fake domain names in links and the address bar. Their examples use Paypal (with SSL too) and this looks very useful for phishing attacks. Interesting note that it works in every browser *except* IE (which makes this exploit a lot less dangerous in the end, I suppose)."v The reason IE isn't vulnerable is because it doesn't natively support IDN; with the right plug-in, it too is vulnerable.

13 of 621 comments (clear)

  1. So what? by Anonymous Coward · · Score: 5, Insightful

    This isn't per-se a browser fault, it is more of a flaw in the IDN system.

    Atleast, we can bash FF instead of IE now.

    1. Re:So what? by kimba · · Score: 4, Insightful

      It isn't even that. It is a fundamental side-effect with the the notion of internationalization, and the fact cyrillic and latin (and others) share the same letters. More specifically you may consider it can be pinned on the way Unicode enumerates characters (by giving different code points to letters rendered the same).

      It isn't a fault of the browser or IDNs.

  2. This isn't a newly discovered exploit. by tgd · · Score: 4, Insightful

    I can remember discussions about it years ago. I'd bet there may even be a /. article about it, although its not really worth searching to see.

    This was a big part of the critisism around supporting larger character sets in domain names.

  3. Re:Another IDN bug on Firefox by drinkypoo · · Score: 5, Insightful

    I hope you do realize that on most computers, if the view source tool has ever been used, it was because the user hit it accidentally while trying to access another menu item or key combination...

    --
    "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  4. Re:Another IDN bug on Firefox by Tetsugaku-San · · Score: 5, Insightful

    yeah, cos we ALL watch that stuff - and my monitor is at 320x200 so 3 pixels out is easy to spot . . . .

    --

    My Portfolio
  5. Re:Opera won't fix it? by Wudbaer · · Score: 4, Insightful

    The problem is not their implementation, which is likely correct. The problem is that the standard is "wrong" is this respect.

    So it will be quite difficult to fix this without breaking and/or changing the standard.

  6. Re:Are phishers going to bother with this, though? by moon-monster · · Score: 4, Insightful

    > Are phishers going to bother trying to use this exploit if it works on less than 10% of their potential victims?

    They sure are. Think about how many people actually respond to spam messages. It's probably much smaller than 0.01%, but it's still economical enough for the to send out the messages anyway. I'd be fairly confident that the same holds true for phishers, too.

    --
    "Pokey, are you drunk on love?" "Yes. Also whiskey. But mostly love... and whiskey."
  7. Re:Opera won't fix it? by TheIndividual · · Score: 5, Insightful

    Well it isn't really a bug. Their implementation is correct it just suffers a flaw that IDN introduced. So from a technical point of view, the browser does what it is supposed to do. However it would be nice to see them implement some kind of protection against unicode letters looking like ASCII-letters. A warning popup or colour coding of those letter maybe.

  8. misleading commentary by jaiyen · · Score: 4, Insightful

    This will probably lose me major karma for going against groupthink, but the statement that "The reason IE isn't vulnerable is because it doesn't natively support IDN; with the right plug-in, it too is vulnerable." does seem ridiculously biased.

    While it may be technically true, it's like suggesting Firefox is susceptible to IE's infamous ActiveX vulnerabilities, just because there's an ActiveX plugin for Firefox too. Everyone is quick to jump on MS when there's new IE exploits, but we've got to accept that this seems to be one they got right. Making excuses about plugins doesn't really change that.

  9. Re:Another IDN bug on Firefox by stuntpope · · Score: 4, Insightful

    Blame the stupid user because they don't read the source for every web page they go to? Come on. Are you, the highly intelligent informed user, going to start doing that now, even though there are no visual cues on the rendered page that something is amiss?

  10. Re:Another IDN bug on Firefox by Ced_Ex · · Score: 5, Insightful

    I suppose you understand how pharmaceuticals fully interact with your body? Or I suppose you fully understand every working part in your car?

    There are plenty of things people use that they have very little understanding of. They may know the interface of that device or system, but beyond that, it's all a black box to them. Browsers included.

    If you go by your statement of "if you don't understand it, don't use it", I'm sure there are plenty of things you can eliminate out of your own life as well.

    --
    Live forever, or die trying.
  11. Re:Are phishers going to bother with this, though? by double-oh+three · · Score: 4, Insightful

    The fix is simple for this(for firefox at least), just have a little bar appear at top(like the popup one) and have a message saying that there are international characters in the address. Have a button with a link to the non-international charactered page. There's no reason to kill international character support, just make it so that the user is warned.

    --
    "For years, I struggled with reality... but I'm happy to say I finally won out over it." -- Elwood P. Dowd
  12. Re:Stop obsessing over Microsoft, please. by strider44 · · Score: 4, Insightful

    IE wasn't relevant to this article, yet you found a way to wedge it in and smear it regardless.

    What about to the people who have the plugin for IDN? This is a place for geeks, and there are bound to be people that have that sort of plugin. Saying IE isn't affected is pretty much false in that light.