Slashdot Mirror

← Back to Stories (view on slashdot.org)

Shmoo Group Finds Exploit For non-IE Browsers

Posted by Hemos on from the even-mozilla-is-guilty dept.

shut_up_man writes "Saw this on Boing Boing: East coast hacker con Shmoocon ended today and they had a nasty browser exploit to show off... using International Domain Name (IDN) character support to display fake domain names in links and the address bar. Their examples use Paypal (with SSL too) and this looks very useful for phishing attacks. Interesting note that it works in every browser *except* IE (which makes this exploit a lot less dangerous in the end, I suppose)."v The reason IE isn't vulnerable is because it doesn't natively support IDN; with the right plug-in, it too is vulnerable.

19 of 621 comments (clear)

  1. Another IDN bug on Firefox by IO+ERROR · · Score: 5, Informative
    When trying this out on Firefox on Linux, I noticed that the URL in the address bar is rendered two or three pixels lower than normal. If you're paying close attention, this is easy to spot. Also, the "real" URL appears in the status bar while the spoofed page is being loaded, i.e. "Looking up www.xn--pypal-4ve.com..."

    To disable IDN as a workaround for this problem (on Gecko-based browsers): hit about:config and set network.enableIDN to false.

    --
    How am I supposed to fit a pithy, relevant quote into 120 characters?
    1. Re:Another IDN bug on Firefox by drinkypoo · · Score: 5, Insightful

      I hope you do realize that on most computers, if the view source tool has ever been used, it was because the user hit it accidentally while trying to access another menu item or key combination...

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    2. Re:Another IDN bug on Firefox by Tetsugaku-San · · Score: 5, Insightful

      yeah, cos we ALL watch that stuff - and my monitor is at 320x200 so 3 pixels out is easy to spot . . . .

      --

      My Portfolio
    3. Re:Another IDN bug on Firefox by vivin · · Score: 5, Informative

      Who says this is a Linux vulnerability? This is a browser vulnerability.

      Browsers != Linux.

      And it's not FUD - it is an actual problem. It sure tricked Firefox running on my windows machine.

      --
      Vivin Suresh Paliath
      http://vivin.net

      I like
    4. Re:Another IDN bug on Firefox by finkployd · · Score: 5, Informative

      To disable IDN as a workaround for this problem (on Gecko-based browsers): hit about:config and set network.enableIDN to false.

      That is a great suggestion, except for the part where it does not work.

      Go ahead, make the change, then restart your browser. Now go look at about:config again. Yup, still set to false. Now go see if it the setting worked. It does not. So at least with Firefox 1.0 just took a bad situation and made it worse. Now people will think turning off this setting will actually accompolish something and protect them and it will not.

      Finkployd

    5. Re:Another IDN bug on Firefox by Ced_Ex · · Score: 5, Insightful

      I suppose you understand how pharmaceuticals fully interact with your body? Or I suppose you fully understand every working part in your car?

      There are plenty of things people use that they have very little understanding of. They may know the interface of that device or system, but beyond that, it's all a black box to them. Browsers included.

      If you go by your statement of "if you don't understand it, don't use it", I'm sure there are plenty of things you can eliminate out of your own life as well.

      --
      Live forever, or die trying.
    6. Re:Another IDN bug on Firefox by bunratty · · Score: 5, Informative

      This has been reported as bug 281377.

      --
      What a fool believes, he sees, no wise man has the power to reason away.
  2. Are phishers going to bother with this, though? by The+I+Shing · · Score: 5, Interesting

    I'm surprised to hear that Microsoft's refusal to adopt international standards in their browser actually thwarts a potential phishing attack rather than aiding it. If the problem can't be fixed in the browsers, maybe email clients and websites can find some way of decoding, detecting, and disabling such links. Are phishers going to bother trying to use this exploit if it works on less than 10% of their potential victims?

    --
    You are in error. No-one is screaming. Thank you for your cooperation.
  3. So what? by Anonymous Coward · · Score: 5, Insightful

    This isn't per-se a browser fault, it is more of a flaw in the IDN system.

    Atleast, we can bash FF instead of IE now.

  4. Switch by Anonymous Coward · · Score: 5, Funny

    Damnit... now I'm switching back.

  5. Opera won't fix it? by MoonFog · · Score: 5, Informative

    From the text:
    VI. Vendor Responses

    Verisign: No response yet.
    Apple: No response yet.
    Opera: They believe they have correctly implemented IDN, and will not be making any changes.
    Mozilla: Working on finding a good long-term solution; provided clear workaround for disabling IDN.
    So, Opera won't fix it? They have a proof of concept, and Opera believe their implementation is correct? Maybe, but they still need to provide an update, and something tells me they will .. eventually.

    1. Re:Opera won't fix it? by TheIndividual · · Score: 5, Insightful

      Well it isn't really a bug. Their implementation is correct it just suffers a flaw that IDN introduced. So from a technical point of view, the browser does what it is supposed to do. However it would be nice to see them implement some kind of protection against unicode letters looking like ASCII-letters. A warning popup or colour coding of those letter maybe.

  6. I'm waiting the patch from MS by gustgr · · Score: 5, Funny

    Ok, it doesn't work in IE... so when the patch will be released? I mean... it is IE, the exploits HAVE to work. Microsoft should be worried, they are not doing their job properly.

  7. network.enableIDN doesn't fix things by openSoar · · Score: 5, Informative

    The 'fix' they mention (setting network.enableIDN to false via about:config) only works until you restart the browser - when you reopen the browser, things are back to the same even though the setting is still false..

  8. ICANN is worried too by Peter_Pork · · Score: 5, Informative
    From ICANN's log:
    There are many technical problems with this change. It essentially undermines IDNA, which is now on standards track, by adding a level of guessing to the DNS that IDNA is explicitly designed to avoid. Further, it makes it appear that IDNs are only useful in domain names for web sites (and only for sites in .com and .net), and only at the second level. VGRS has said that their plug-in will not work with most of the ccTLDs, for example.

    For example, if you enter .com in Internet Explorer for Windows, where "" is the single hex octet 0xE5, you see the screen shown in the attached file called "[lynn-message-to-iab-06jan03-]e5.tif". (Sorry about the TIFF image, but it's the only reliable format for PC screen dumps.) As you can see, VGRS makes wild guesses about what the user wanted, some of which are very clearly impossible. Worse yet, they do not include all of the legal guesses that they could have made. And, just to make it completely confusing to the user, not all of the choices work.

    The DNS is not supposed to be a best-guess service, yet VGRS has turned .com and .net into this just before IDNA is to be an RFC. VGRS should not be allowed, through its monopoly on the .com and .net gTLDs, to destroy the coherence of the DNS for its own short-term profit. ICANN should demand that VGRS immediately stop giving incorrect answers to any query in .com and .net, and should instead follow the IETF standards. If VGRS refuses, ICANN should re-delegate the .com and .net zones to registries that are more willing to follow the DNS standards.
    See this also.
  9. notepad by leuk_he · · Score: 5, Informative

    If i copy /paste the link into notepad it just looks right And if i copuy /past it back to firefox i get the "spoofed" page back again.

    next:

    Trolls can have a couple of days fun on slashdot.

    And verisign van sell a lot of domains to phishers. (profit!)

  10. Douglas Hofstadter: When an A is not an A by G4from128k · · Score: 5, Interesting

    This brings up the amusing problem of character recognition by human and non-human intelligences. Douglas Hofstadter discusses this issue in on seeing A's and seeing As.

    In the case of this exploit, a deep flaw in IDN and computer fonts means that character #1072 is rendered typographically as an "a". The irony is that this is one of the few cases in which a computer can readily tell the difference between "a" and #1072 and a person cannot. The only solution would be rules that prohibit isomorphic characters in typefaces or a in-browser warning system that analyses the potential for ambiguity and alerts the user.

    --
    Two wrongs don't make a right, but three lefts do.
  11. IDN pain in the but anyway by spectrokid · · Score: 5, Informative

    Here in Scandinavia, the letters Å,Æ,Ø, are actually quite new. It is acceptable to spell them as AA, AE and OE respectively on non-scandinavian keyboards. With IDN adresses now becomming available, you constantly have to remember which spelling is used on which website. It would be a hell of a lot more practical if only the 26 alphabeth was used and software would automatically expand ingeniøren.dk to ingenioeren.dk. This way you could use whatever you want. And websites will not be too happy about using special characters, because it makes them almost impossible to reach on non-scandinavian computers.

    --

    10 ?"Hello World" life was simple then

  12. You're being too elitist by Tibor+the+Hun · · Score: 5, Funny

    I'm planning on taking an airplane flight in 7 years, and am already taking classes on aeronautics, history of flight, airplane engineering, and am enrolled in the technical school for airplane building and maintenancy.^H^H

    Uh-oh, looks like my "delete" key stopped working again. Must need another .5 ohm resistor, with a diode overlay. I'll do that as soon as I'm done casting the waterpump for my car.

    --
    If you don't know what AltaVista is (was), get off my lawn.