Slashdot Mirror

← Back to Stories (view on slashdot.org)

Shmoo Group Finds Exploit For non-IE Browsers

Posted by Hemos on from the even-mozilla-is-guilty dept.

shut_up_man writes "Saw this on Boing Boing: East coast hacker con Shmoocon ended today and they had a nasty browser exploit to show off... using International Domain Name (IDN) character support to display fake domain names in links and the address bar. Their examples use Paypal (with SSL too) and this looks very useful for phishing attacks. Interesting note that it works in every browser *except* IE (which makes this exploit a lot less dangerous in the end, I suppose)."v The reason IE isn't vulnerable is because it doesn't natively support IDN; with the right plug-in, it too is vulnerable.

5 of 621 comments (clear)

  1. So what? by Anonymous Coward · · Score: 5, Insightful

    This isn't per-se a browser fault, it is more of a flaw in the IDN system.

    Atleast, we can bash FF instead of IE now.

  2. Re:Another IDN bug on Firefox by drinkypoo · · Score: 5, Insightful

    I hope you do realize that on most computers, if the view source tool has ever been used, it was because the user hit it accidentally while trying to access another menu item or key combination...

    --
    "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  3. Re:Another IDN bug on Firefox by Tetsugaku-San · · Score: 5, Insightful

    yeah, cos we ALL watch that stuff - and my monitor is at 320x200 so 3 pixels out is easy to spot . . . .

    --

    My Portfolio
  4. Re:Opera won't fix it? by TheIndividual · · Score: 5, Insightful

    Well it isn't really a bug. Their implementation is correct it just suffers a flaw that IDN introduced. So from a technical point of view, the browser does what it is supposed to do. However it would be nice to see them implement some kind of protection against unicode letters looking like ASCII-letters. A warning popup or colour coding of those letter maybe.

  5. Re:Another IDN bug on Firefox by Ced_Ex · · Score: 5, Insightful

    I suppose you understand how pharmaceuticals fully interact with your body? Or I suppose you fully understand every working part in your car?

    There are plenty of things people use that they have very little understanding of. They may know the interface of that device or system, but beyond that, it's all a black box to them. Browsers included.

    If you go by your statement of "if you don't understand it, don't use it", I'm sure there are plenty of things you can eliminate out of your own life as well.

    --
    Live forever, or die trying.