Shmoo Group Finds Exploit For non-IE Browsers

shut_up_man writes "Saw this on Boing Boing: East coast hacker con Shmoocon ended today and they had a nasty browser exploit to show off... using International Domain Name (IDN) character support to display fake domain names in links and the address bar. Their examples use Paypal (with SSL too) and this looks very useful for phishing attacks. Interesting note that it works in every browser *except* IE (which makes this exploit a lot less dangerous in the end, I suppose)."v The reason IE isn't vulnerable is because it doesn't natively support IDN; with the right plug-in, it too is vulnerable.

Another IDN bug on Firefox

[IO+ERROR]

When trying this out on Firefox on Linux, I noticed that the URL in the address bar is rendered two or three pixels lower than normal. If you're paying close attention, this is easy to spot. Also, the "real" URL appears in the status bar while the spoofed page is being loaded, i.e. "Looking up www.xn--pypal-4ve.com..."

To disable IDN as a workaround for this problem (on Gecko-based browsers): hit about:config and set network.enableIDN to false.

Re:Another IDN bug on Firefox

[drinkypoo]

I hope you do realize that on most computers, if the view source tool has ever been used, it was because the user hit it accidentally while trying to access another menu item or key combination...

Re:Another IDN bug on Firefox

[Tetsugaku-San]

yeah, cos we ALL watch that stuff - and my monitor is at 320x200 so 3 pixels out is easy to spot . . . .

Re:Another IDN bug on Firefox

[vivin]

Who says this is a Linux vulnerability? This is a browser vulnerability.

Browsers != Linux.

And it's not FUD - it is an actual problem. It sure tricked Firefox running on my windows machine.

Re:Another IDN bug on Firefox

[Troed]

Works 100% as advertised in Opera. No easy way to spot it's fake.

On the other hand, this is nothing new. This was predicted a long time ago when debating on how to handle websites with charactersets incompatible with the ones used in Western countries ..

Re:Another IDN bug on Firefox

[squiggleslash]

Just tried it on Safari, and unfortunately none of the "bugs" that occur in Firefox that give the game away are present. Mouseover looks like Paypal. Connecting message shows nothing untoward. Renders as "www.paypal.com" in the regular font and location on the URL bar.

I wonder if there's a quick and easy fix for this for Safari users, like there is for Firefox (about:config, network.enableIDN -> false.)

Re:Another IDN bug on Firefox

[duvie]

One: the setting of enableIDN to false appears to have NO effect.

Two: The only way to see that you are not at paypal (unless you notice the flash-by in the status bar) is to look at the certificate details. For the POC site, the certificate was issued to "www.xn--pypal-4ve.com"

We all read those certs every time, neh?

Re:Another IDN bug on Firefox

[finkployd]

To disable IDN as a workaround for this problem (on Gecko-based browsers): hit about:config and set network.enableIDN to false.

That is a great suggestion, except for the part where it does not work.

Go ahead, make the change, then restart your browser. Now go look at about:config again. Yup, still set to false. Now go see if it the setting worked. It does not. So at least with Firefox 1.0 just took a bad situation and made it worse. Now people will think turning off this setting will actually accompolish something and protect them and it will not.

Finkployd

Re:Another IDN bug on Firefox

[aWalrus]

It worked for me (firefox in OS X). What it does is fix the lookup, not the display, so the links will still look as they did, but when you click on them it says "domain not found"

Re:Another IDN bug on Firefox

[double-oh+three]

And when this was presented at Shmoocon they mentioned that, IIRC they said that it was first thought up in 2001. Safari's fooled too, with the source code thing not apparently working. However if you try to save the page the international characters will disappear from the filename.

Re:Another IDN bug on Firefox

[stuntpope]

Blame the stupid user because they don't read the source for every web page they go to? Come on. Are you, the highly intelligent informed user, going to start doing that now, even though there are no visual cues on the rendered page that something is amiss?

Re:Another IDN bug on Firefox

[Ced_Ex]

I suppose you understand how pharmaceuticals fully interact with your body? Or I suppose you fully understand every working part in your car?

There are plenty of things people use that they have very little understanding of. They may know the interface of that device or system, but beyond that, it's all a black box to them. Browsers included.

If you go by your statement of "if you don't understand it, don't use it", I'm sure there are plenty of things you can eliminate out of your own life as well.

Re:Another IDN bug on Firefox

[AstroDrabb]

Hmm, I stand corrected. Setting enableIDN and then testing worked right away for me. Until I restarted my browser. About:config still shows enableIDN set to false, but the spoof works again. However, if I go back into about:config and reset enableIDN to false, it again stops the spoof.

Maybe it is a problem in the Firefox startup code not setting enableIDN properly.

Re:Another IDN bug on Firefox

[AstroDrabb]

Restart you browser and then try again. I thought it was working until a restart of Firefox and it appears that the Firefox startup code doesn't properly set enableIDN based on your profile settings. As soon as you restart, the spoof works again. However, go into about:config and you will see that enableIDN is still set to false, so toggle it to true and then false again and the spoof won't work. Rinse, repeat.

Re:Another IDN bug on Firefox

[strider44]

It's obvious without even looking for it on my 1280x1024 low-size font resolution. However most users will just think "that's odd" and not take any precautions.

Re:Another IDN bug on Firefox

[callipygian-showsyst]

I wonder if there's a quick and easy fix for this for Safari users,

There is! Run I.E. in a VirtualPC window.

Re:Another IDN bug on Firefox

[bahamat]

It was probably cached, which does nothing to help anyone. Any user no matter how long they've been using computers is apt to think that disabling it will make a difference right away. I've been developing websites for close to 10 years, and browser cache is the biggest thorn in my side in that area.

While you can view the certificate in Firefox, it takes a whopping 4 clicks to get the info that shows the page is bogus (double click the lock icon, click security tab, click view cert). The average user will never find it. Even the above average users will be thrown by the General tab which shows the spoofed URL as though it were the real one. If they don't actively hunt down all indications that a site may be spoofed, they're going to be fooled.

What's worse, is that Safari doesn't even give the option to view certificates that it thinks are valid (not expired and signed by a valid root CA).

Ouch.

Re:Another IDN bug on Firefox

[bunratty]

This has been reported as bug 281377.

Re:Another IDN bug on Firefox

[sn0wflake]

You mean most users will never, ever, notice it. Even I as a Slashdot reader don't look at the URL constantly.
Recon spyware coders will implement this in their programs now so it'll work in MSIE.

Re:Another IDN bug on Firefox

[AstroDrabb]

It was probably cached

No, it wasn't cached. I cleared the cache in Firefox and also if you hold down shift and click Refresh, Firefox skips the cache and goes right to the server for the content. I think that the about:config interface correctly updated the enableIDN variable while the startup Firefox code doesn't look for the enableIDN settings in your user profile. To me that would explain why the settings take place immediately, yet fail to be set when you restart your browser.

Are phishers going to bother with this, though?

[The+I+Shing]

I'm surprised to hear that Microsoft's refusal to adopt international standards in their browser actually thwarts a potential phishing attack rather than aiding it. If the problem can't be fixed in the browsers, maybe email clients and websites can find some way of decoding, detecting, and disabling such links. Are phishers going to bother trying to use this exploit if it works on less than 10% of their potential victims?

Re:Are phishers going to bother with this, though?

[AbbyNormal]

Cmon. We are all touting Firefox to be the next "Greatest" thing since sliced bread. I have it installed on most of my family's machines. What now when M$ turns this around and says: "See? Only MS prevented this flaw because of our proprietary tested..bla blah".

All it takes is 1% of the 10 percent.

Re:Are phishers going to bother with this, though?

[moon-monster]

> Are phishers going to bother trying to use this exploit if it works on less than 10% of their potential victims?

They sure are. Think about how many people actually respond to spam messages. It's probably much smaller than 0.01%, but it's still economical enough for the to send out the messages anyway. I'd be fairly confident that the same holds true for phishers, too.

Re:Are phishers going to bother with this, though?

[double-oh+three]

The fix is simple for this(for firefox at least), just have a little bar appear at top(like the popup one) and have a message saying that there are international characters in the address. Have a button with a link to the non-international charactered page. There's no reason to kill international character support, just make it so that the user is warned.

Canned Slashdot Response

[bigtallmofo]

Serves those Internet Explorer users right! They should immediately switch to ... uh, wait. Nevermind.

So what?

This isn't per-se a browser fault, it is more of a flaw in the IDN system.

Atleast, we can bash FF instead of IE now.

Re:So what?

[kimba]

It isn't even that. It is a fundamental side-effect with the the notion of internationalization, and the fact cyrillic and latin (and others) share the same letters. More specifically you may consider it can be pinned on the way Unicode enumerates characters (by giving different code points to letters rendered the same).

It isn't a fault of the browser or IDNs.

Switch

Damnit... now I'm switching back.

IE also fails! (kinda)

[grandmofftarkin]

The first thing I did was fire up IE (a rare occurrence) and test this. IE also failed (for me). Then I remembered that I have the i-Nav plug-in installed. Granted, this isn't actually a fault of IE then but rather the plugin. Though it should be noted that IE is only spared because (in it's default configuration, i.e. without the plugin) it doesn't support standards. In this case that standard is Punycode.

This would actually appear to be a flaw in the Punycode standard rather than the browsers themselves, given that all IDN (internationalized domain name) aware browsers similarly fail.

Looks like someone may have to fix Punycode. Then we can update the browsers. In the mean time perhaps Opera, Firefox, etc. can given some kind of visual notification when Punycode is used, in the same way the URL turns yellow when a secure URL is entered in Firefox.

Firefox 1.0

[rubypossum]

If you "View Source" for some weird reason the real address shows up in the title bar.

This isn't a newly discovered exploit.

[tgd]

I can remember discussions about it years ago. I'd bet there may even be a /. article about it, although its not really worth searching to see.

This was a big part of the critisism around supporting larger character sets in domain names.

Re:This isn't a newly discovered exploit.

[mithras+the+prophet]

Here's the earlier article: Spoofing URLs With Unicode. Summary:

"Scientific American has an interesting article about how a pair of students at the Technion-Israel Institute of Technology registered "microsoft.com" with Verisign, using the Russian Cyrillic letters "c" and "o". Even though it is a completely different domain, the two display identically (the article uses the term "homograph"). The work was done for a paper in the Communications of the ACM (the paper itself is not online). The article characterizes attacks using this spoof as "scary, if not entirely probable," assuming that a hacker would have to first take over a page at another site. I disagree: sending out a mail message with the URL waiting to be clicked ("Bill Gates will send you ten dollars!") is just one alternate technique. While security problems with Unicode have been noted here before, this might be a new twist."

Incidentally, it seems that Slashdot's ASCII-only URL reporting system successfully deflects such spoofing here: Go to paypal.com

Opera won't fix it?

[MoonFog]

From the text:
VI. Vendor Responses

Verisign: No response yet.
Apple: No response yet.
Opera: They believe they have correctly implemented IDN, and will not be making any changes.
Mozilla: Working on finding a good long-term solution; provided clear workaround for disabling IDN.

So, Opera won't fix it? They have a proof of concept, and Opera believe their implementation is correct? Maybe, but they still need to provide an update, and something tells me they will .. eventually.

Re:Opera won't fix it?

[Wudbaer]

The problem is not their implementation, which is likely correct. The problem is that the standard is "wrong" is this respect.

So it will be quite difficult to fix this without breaking and/or changing the standard.

Re:Opera won't fix it?

[TheIndividual]

Well it isn't really a bug. Their implementation is correct it just suffers a flaw that IDN introduced. So from a technical point of view, the browser does what it is supposed to do. However it would be nice to see them implement some kind of protection against unicode letters looking like ASCII-letters. A warning popup or colour coding of those letter maybe.

I'm waiting the patch from MS

[gustgr]

Ok, it doesn't work in IE... so when the patch will be released? I mean... it is IE, the exploits HAVE to work. Microsoft should be worried, they are not doing their job properly.

Known for years....

[Chris_Jefferson]

Seriously, it's been known for years that adding international character sets was going to cause the problem of multiple identical (or almost identical) characters.

On the other hand, no-one really seems sure of the best way to fix it... One option is obviously to mark somehow when non-ASCII characters are used, but while this will help the people who only want ASCII URLs, it will still leave the problem for everyone who wants to use this extended system, making it effectively useless....

IDNs were a bad idea anyway

Except when implemented in their own country code namespace of course.

There are so many characters that look alike, that it is trivial to register a domain name that will look the same as another one. Typically the different character would only be recognised by a native that used that character, although using it alongside normal English characters would probably throw them off as well.

Solution? Maybe an "IDN" icon in the URL bar, or a warning if an IDN uses a mixture of normal English characters with some foreign characters in an IDN.

network.enableIDN doesn't fix things

[openSoar]

The 'fix' they mention (setting network.enableIDN to false via about:config) only works until you restart the browser - when you reopen the browser, things are back to the same even though the setting is still false..

Re:network.enableIDN doesn't fix things

[finkployd]

I was fully prepared to test this myself, find out you were either full of it (or a troll), and let /. know you were wrong.

My plan was going perfectly, right up to the point where what you said turned out to be 100% correct :(

Shame on Firefox for taking a bad situation and making it worse. If about:config reports that a security related setting is X when in fact it is Y, this is worse than not providing a fix at all. A false sense of security (from a browser that is supposed be better) is worse than being aware of the security problems and reacting accordingly.

Finkployd

Not Lynx

[OECD]

It doesn't seem to work with Lynx, either. The URLs are obviously different from what they're supposed to be, and they don't point to any site at all.

Lynx does try the URL, though, so it may be possible to set up another domain to catch it, but the URL would still be obviously wrong (something like p%a%y%p%a%l.com)

ICANN is worried too

[Peter_Pork]

From ICANN's log:

There are many technical problems with this change. It essentially undermines IDNA, which is now on standards track, by adding a level of guessing to the DNS that IDNA is explicitly designed to avoid. Further, it makes it appear that IDNs are only useful in domain names for web sites (and only for sites in .com and .net), and only at the second level. VGRS has said that their plug-in will not work with most of the ccTLDs, for example.

For example, if you enter .com in Internet Explorer for Windows, where "" is the single hex octet 0xE5, you see the screen shown in the attached file called "[lynn-message-to-iab-06jan03-]e5.tif". (Sorry about the TIFF image, but it's the only reliable format for PC screen dumps.) As you can see, VGRS makes wild guesses about what the user wanted, some of which are very clearly impossible. Worse yet, they do not include all of the legal guesses that they could have made. And, just to make it completely confusing to the user, not all of the choices work.

The DNS is not supposed to be a best-guess service, yet VGRS has turned .com and .net into this just before IDNA is to be an RFC. VGRS should not be allowed, through its monopoly on the .com and .net gTLDs, to destroy the coherence of the DNS for its own short-term profit. ICANN should demand that VGRS immediately stop giving incorrect answers to any query in .com and .net, and should instead follow the IETF standards. If VGRS refuses, ICANN should re-delegate the .com and .net zones to registries that are more willing to follow the DNS standards.

See this also.

Re:ICANN is worried too

[gowen]

Neither of those are about this concern (homographs between Cyrillic and Latin alphabets). That's a concern about Verisign using non-IDN methods to do DNS-lookups, and (like the late, unlamented SiteFinder) doing fuzzy matches in the case of unrecognised UTF domain names.

Rebuttals

[Jacco+de+Leeuw]

• Oh, come on! Even I saw the differences between those two a's!
• Move your pointer to the padlock and you'll see that the certificate was signed by the UserTrust Network instead of the usual suspects (Verisign, Thawte etc.).
• Certificates from the UserTrust Network are not to be trusted anyway. They don't check anything and you cannot trace back the owner of the domain.
• CAs should rejects CSRs with these characters.
• The CA should revoke those certificates. (You did enable OCSP, didn't you?)
• It doesn't work with links/lynx.

:-)

notepad

[leuk_he]

If i copy /paste the link into notepad it just looks right And if i copuy /past it back to firefox i get the "spoofed" page back again.

next:

Trolls can have a couple of days fun on slashdot.

And verisign van sell a lot of domains to phishers. (profit!)

Re:notepad

[Myen]

Probably depends on Windows version - on 2k/XP at least, Notepad is a Unicode app and can handle non-ASCII characters; not the case in 9x.

Use the command prompt; by default that wouldn't be able to handle the right characters and should show up as '?'. Actually, I think the default raster font for that just doesn't have the character.

Re:notepad

[kerrle]

Microsoft didn't "get something right", they just don't support the feature that this takes advantage of.

IDN support is probably a good thing - we just need a way to show the user the difference between URLs if international characters are used.

Re:notepad

[AmberBlackCat]

Perhaps refraining from adding a feature until it can be done right could be considered "getting something right". And it would be easy to change "Microsoft got something right" to "Everybody except Microsoft got something wrong". But I would agree that in this case Microsoft didn't make their browser safer through actual thought. They just got lucky.

Talk About Asking For Trouble

[sp3c1alK]

Comments like this worry me. We really have to be careful about letting our guard down just because Firefox is more secure. The whole point of the article is that the exploits DO exist.

On one hand, we (the /. community) love to talk about how Firefox's market share is growing quickly but then minimize potential problems. So how is this problem 'less dangerous than some IE exploits'?

Don't get me wrong, I'm all about Firefox, but we can't get lazy.

Douglas Hofstadter: When an A is not an A

[G4from128k]

This brings up the amusing problem of character recognition by human and non-human intelligences. Douglas Hofstadter discusses this issue in on seeing A's and seeing As.

In the case of this exploit, a deep flaw in IDN and computer fonts means that character #1072 is rendered typographically as an "a". The irony is that this is one of the few cases in which a computer can readily tell the difference between "a" and #1072 and a person cannot. The only solution would be rules that prohibit isomorphic characters in typefaces or a in-browser warning system that analyses the potential for ambiguity and alerts the user.

misleading commentary

[jaiyen]

This will probably lose me major karma for going against groupthink, but the statement that "The reason IE isn't vulnerable is because it doesn't natively support IDN; with the right plug-in, it too is vulnerable." does seem ridiculously biased.

While it may be technically true, it's like suggesting Firefox is susceptible to IE's infamous ActiveX vulnerabilities, just because there's an ActiveX plugin for Firefox too. Everyone is quick to jump on MS when there's new IE exploits, but we've got to accept that this seems to be one they got right. Making excuses about plugins doesn't really change that.

IDN pain in the but anyway

[spectrokid]

Here in Scandinavia, the letters Å,Æ,Ø, are actually quite new. It is acceptable to spell them as AA, AE and OE respectively on non-scandinavian keyboards. With IDN adresses now becomming available, you constantly have to remember which spelling is used on which website. It would be a hell of a lot more practical if only the 26 alphabeth was used and software would automatically expand ingeniøren.dk to ingenioeren.dk. This way you could use whatever you want. And websites will not be too happy about using special characters, because it makes them almost impossible to reach on non-scandinavian computers.

Re:Stop obsessing over Microsoft, please.

[strider44]

IE wasn't relevant to this article, yet you found a way to wedge it in and smear it regardless.

What about to the people who have the plugin for IDN? This is a place for geeks, and there are bound to be people that have that sort of plugin. Saying IE isn't affected is pretty much false in that light.

Re:Bug or feature?

[Dionysus]

Do tell me how am I going to have to type in a Chinese or Japanese domain name if I don't have keyboard layout (not to mention that I amy not even know *how* to input all these gliphs...).

Do tell me when you became the world. Just because you personally likely won't use a feature doesn't mean it isn't useful for someone out there (what's the population of China and Japan combined?)

You're being too elitist

[Tibor+the+Hun]

I'm planning on taking an airplane flight in 7 years, and am already taking classes on aeronautics, history of flight, airplane engineering, and am enrolled in the technical school for airplane building and maintenancy.^H^H

Uh-oh, looks like my "delete" key stopped working again. Must need another .5 ohm resistor, with a diode overlay. I'll do that as soon as I'm done casting the waterpump for my car.

Exploits

[Novous]

>The reason IE isn't vulnerable is because it doesn't natively support IDN; with the right plug-in, it too is vulnerable.

Well, if we're going to disregard them on those grounds, we might as well disregard ActiveX exploits too (since FireFox doesn't support it). An exploit is an exploit. Don't play the game of justification.

p.s. I use Firefox.

Browsers ~!= Linux

[willCode4Beer.com]

Although not a Linux, Windows, or Mac vulnerability, it could become one.

If the site spoofed were a trusted site for firefox extensions they could get some code to execute on the box. They could package a root kit and take control of a Linux or Mac, or the Buffer overflow du jour to take control of a Windows machine. Granted the Linux would be the most difficult due the the large variation of distros (and each distro differs on opinion where file belong), compiler options, etc.

For a truly secure OS, you should remove all applications and just run the OS in its pure state.

Unicode has already fixed this problem

[fizbin]

There is already a fix for this IDN problem in the unicode spec, if people would just use it:

Before resolving, all domain names should be normalized according to normalization form KC. (see http://www.unicode.org/unicode/reports/tr15/) Once that's done, anything that looks like an "a" really will be an "a", and not something that looks identical in Cyrillic.

That simple (SIMPLE!) step would avoid this problem, almost completely. There'd still be an issue with people using "paypál" instead of "paypal", but at least then the user has some vague chance of seeing the difference in the URL in the browser window.

It would also be good if responsible registrars refused to accept domain registrations for domains not normalized according to NFKC, but asking companies to refuse business simply because someone else would get hurt is probably not going to be effective.

Re:Unicode has already fixed this problem

[pdc]

I don't claim to be a Unicode expert, but I don't think that normalization form KC will convert U+0430 to 'a', because the Latin small letter A is not its compatability decomposition.

On the other hand, it would prevent spoofing of Greek names using mu and capital omega, or capital A with ring above, or ff ligatures, since there are characters that have them as compatibility decompositions.

The old MS spoofing quick-patch...

[Curtman]

Why don't you just start typing in your URIs from now on?

A few more browser tests (and IE *is* affected)

[Reziac]

Where "sees" means "displays it this way on the status line":

Netscape 3.04 sees http://www.p?ypal.com/ -- looks the same in docsource

OffByOne 3.4a sees http://www.p0ypal.com/ -- looks the same in docsource

K-Meleon 0.9 sees http://www.p?ypal.com/ -- looks like http://www.pypal.com/ in docsource

IE 5.00.2314.1003 (yes, minor builds can make a *big* difference in how IE displays stuff) sees it as http://www.paypal.com/, but the "a" is about half normal size (this is at 1024x768). Docsource as IE feeds it to notepad looks like http://www.pypal.com/

Mozilla 1.5 sees it exactly the same as IE5.00 (above), including docsource

AOLpress (HTML editor with built-in browser) sees it exactly the same as OffByOne (above), including docsource

Netscape 4.50 sees http://www.p?ypal.com/ but displays http://www.pypal.com/ in docsource

Firebird 0.7 sees it exactly the same as Moz 1.5 and IE5.00 (above), including docsource

And Mosaic 0.9 can't figure out WHAT to do with the page and wants to save it to disk.

At this point, I ran out of installed browsers. :)