Slashdot Mirror

← Back to Stories (view on slashdot.org)

Shmoo Group Finds Exploit For non-IE Browsers

Posted by Hemos on from the even-mozilla-is-guilty dept.

shut_up_man writes "Saw this on Boing Boing: East coast hacker con Shmoocon ended today and they had a nasty browser exploit to show off... using International Domain Name (IDN) character support to display fake domain names in links and the address bar. Their examples use Paypal (with SSL too) and this looks very useful for phishing attacks. Interesting note that it works in every browser *except* IE (which makes this exploit a lot less dangerous in the end, I suppose)."v The reason IE isn't vulnerable is because it doesn't natively support IDN; with the right plug-in, it too is vulnerable.

2 of 621 comments (clear)

  1. Re:Propaganda by bersl2 · · Score: 0, Redundant

    Can we please get that headline changed to read "Shmoo Group Find Exploit in All IDN Implementations" or something like that? The headline really gives the wrong impression, despite there being a note at the end of the write-up.

  2. How to fix it in Firefox by chromium · · Score: 0, Redundant

    Go to about:config in the address bar.

    search for the property:

    network.enableIDN

    Change this to false as per the advisory workaround in http://www.shmoo.com/idn/homograph.txt. "V. Workaround You can disable IDN support in mozilla products by setting 'network.enableIDN' to false. There is no workaround known for Opera or Safari.