Slashdot Mirror

← Back to Stories (view on slashdot.org)

Chrome 59 To Address Punycode Phishing Attack

Posted by msmash on from the patching-things dept.

Google says it will be rolling out a patch to Chrome in v59 to address a decade-old unicode vulnerability called Punycode that allowed attackers to fool people into clicking on compromised links. Engadget adds: Thanks to something called Punycode, phishers are able to register bogus domains that look identical to a real website. Take this proof-of-concept from software engineer Xudong Zheng, where apple.com won't take you to a store selling Macs, iPhones and iPads. The real website is actually https://www.xn--80ak6aa92e [dot] com. The xn-- prefix tells browsers like Chrome that the domain uses ASCII compatible encoding. It allows companies and individuals from countries with non-traditional alphabets to register a domain that contains A-Z characters but renders in their local language. The issue was first reported to Google and Mozilla on January 20th and Google has issued a fix in Chrome 59. It's currently live in the Canary (advance beta release) but the search giant will likely make it available to all Chrome users soon.

28 of 69 comments (clear)

  1. Ooh, I get to complain about the Slashdot post qua by Kiwikwi · · Score: 4, Informative

    Horrible summary... Punycode is an encoding, not a vulnerability. The vulnerability is a variant of the well-known homograph attack.

    The original source explains it better: https://www.xudongz.com/blog/2...

  2. Firefox config switch by Jason69 · · Score: 5, Informative

    In Firefox / about:config set: network.IDN_show_punycode;true

    1. Re:Firefox config switch by antdude · · Score: 1

      Yes, but will Firefox change/fix this soon?

      --
      Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
    2. Re:Firefox config switch by Jason69 · · Score: 1

      Chrome's fix is available in version 59 which is in Canary currently.

    3. Re:Firefox config switch by Jason69 · · Score: 1

      That is Firefox's fix. You can set it to display punycode if you choose.

    4. Re:Firefox config switch by antdude · · Score: 1

      That's dumb/stupid and won't help for those who don't know about this. Mozilla should just enable it by default with a patch or something.

      --
      Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
  3. Re:Ooh, I get to complain about the Slashdot post by speranta · · Score: 2

    Of course it's horrible. Engadget just recycles news from other more technical sites. There is also a factual error. The issue will be addressed in Chrome 58. It was already addressed in Chrome Canary 59.

  4. you should also complain about Slashdot subject le by Anonymous Coward · · Score: 1

    Joke in subject, this is just filler.

  5. multiple languages vs local language by MSG · · Score: 2

    The original post notes that "In Chrome and Firefox, the Unicode form will be hidden if a domain label contains characters from multiple different languages."

    It seems to me that a better solution would be to simply display the unicode version only if it contains only characters in the language that the browser is running in (such as the LANG setting on POSIX systems)... especially if the purpose of punycode is to allow domains that "render in their local language."

    Admittedly, that fails to protect Cyrillic systems from the domain used as an example, but it does limit the scope of the problem.

    1. Re:multiple languages vs local language by wbr1 · · Score: 1
      How about displaying both ie:

      https://xn--pple-43d.comhttps/...

      --
      Silence is a state of mime.
    2. Re:multiple languages vs local language by Vadim+Makarov · · Score: 1

      If this is a real security issue, displaying both domains sounds like a non-elegant but working solution. The punicode domain should be displayed where the domain name usually is, and decoded version in the right half of the address bar. Ditto for mouse holdover pop-ups.

      IE's approach seems to be to silently block these URLs from opening, which is also bad.

      --
      17779 eligible voters in a district, 17779 'vote' as one. This is Russia.
  6. countries with non-traditional alphabets by remi2402 · · Score: 4, Insightful

    countries with non-traditional alphabets

    Say what now? Non-traditional? How about simply "languages with non-latin scripts"! And even that description isn't completely accurate as there are plenty of languages written using variants of latin scripts that could benefit from punycode (Spanish, French, German, Scandinavian languages, quite a few Slavic languages, Vietnamese, and I'm probably forgetting a lot).

    I usually don't care about this sort of things but this time I'll bite: there are about 6.5+ billion people on this planet that use "non-traditional alphabets". It's about time whoever wrote the FA at Engadget learns a little bit about the rest of the world.

    1. Re:countries with non-traditional alphabets by wonkey_monkey · · Score: 1

      They should've just said un-American.

      --
      systemd is Roko's Basilisk.
    2. Re:countries with non-traditional alphabets by Anonymous Coward · · Score: 1

      Say what now? Non-traditional?

      What it meant to say was "non-traditional in the context of the internet". The internet started out as an ASCII7 medium (not even ASCII8!). Then other encodings came along, but until very recently you couldn't use things like unicode in domain names at all.

      So in the context being discussed - domain names - anything beyond UTF8 is "non traditional".

    3. Re:countries with non-traditional alphabets by arth1 · · Score: 1

      URLs don't allow for ASCII. Try using a BEL character.
      It is even inconsistent within the URL itself, with the domain names being case insensitive and having their own restrictions that aren't mirrored in the rest of the URL.

    4. Re:countries with non-traditional alphabets by Espectr0 · · Score: 2

      While you are right, i believe the sentiment of the statement is to point out that almost all websites use a restricted ASCII alphabet. And i say this as a spanish speaker.

      --
      Open Source Java Web Forum with LDAP authentication
    5. Re:countries with non-traditional alphabets by radarskiy · · Score: 1

      Any alphabet I don't agree with is a Nazi alphabet.

    6. Re:countries with non-traditional alphabets by thegarbz · · Score: 1

      almost all websites use a restricted ASCII alphabet

      Almost all english websites maybe. There's a huge frigging world out there in unicode if you dared to look. It just doesn't show up neatly in a Google search result resulting in observer bias.

  7. Re:We never learn do we? by Anonymous Coward · · Score: 1

    The parent comment should be modded up. It may not be "politically correct" from a leftist's perspective, but it is very relevant to this discussion.

    For a lot of people, internationalization and localization really is more of a risk than a benefit.

    I'm fluent in three languages, so I can appreciate the need for internationalization and localization for those who need it. Nobody is saying internationalization and localization shouldn't be supported. What we're saying is that it should be trivial to disable them when they aren't needed.

    For example, I don't know Chinese, and I don't expect to ever learn it. The same goes for Arabic, Korean, Japanese, and the various languages of India that don't use Latin or Latin-like alphabets. I would love to be able to disable these languages in my browser, or at least be given a warning before they're used. Since I don't understand them, there's no legitimate reason for me to ever see content in them, at least not without a warning.

    I'd like to take it a step beyond that. I'd like it if my browser could automatically block all content hosted at TLDs or IP addresses associated with third-world ("developing", for the politically correct crowd) nations. After decades of Internet use, I have never had any reason to view content hosted in China, or India, or any African nation. And if I ever did have a legitimate reason to access content from such areas, I would prefer to opt in to viewing it.

    Disabling text and content from these third-world places wouldn't just make my browsing experience more enjoyable, it would also make it safer. I'd lose out on very little by disabling internationalization and localization, and I'd actually gain a whole lot.

  8. 59??? my chrome is 57 by goombah99 · · Score: 2

    My mac tells me it's running version 57.___ and it is up to date. So how long do I have to wait for 59?

    --
    Some drink at the fountain of knowledge. Others just gargle.
  9. Re:We never learn do we? by Pascoea · · Score: 1, Troll

    tries to accommodate every culture until its own gets lost in the noise

    Which culture is it that's getting "lost in the noise"? The one we brought from Europe? The Native one we stepped on in the process? The African one we kidnapped to pick our cotton? The Chinese one that came to build our railroads? Or one of the hundreds of other cultures that have been coming in to our country since its inception?

    We are a nation of immigrants. Unless you are full blood Native you don't have to go back more than a handful of generations to find a foreign parent.

    The US somehow feels like it must apologize for even the most feeble effort at border patrols

    This one I agree with you on. All of the "I'm moving to Canada" people would be in for a hell of a shock when they got the border and were promptly (but probably politely) told to piss off.

  10. Re:So what's the fix? by unrtst · · Score: 4, Interesting

    The article mentions an upcoming patch twice, but is silent on what it does.

    Apparently, though not listed explicitly, they will display the unicode version (Ex: www.xn--80ak6aa92e.com instead of www..com) for these edge cases - though I'm not sure how they're detecting them.

    IMO, it's all stupid mistakes and fixes because it's only an issue because they're trying to make it so "easy to use" and transparent for the dumbest of folks, while making it more and more complex to actually find the real info. For example, you used to be able to click the padlock icon next to the URL if it was an SSL domain, and that'd pop up security and cert info on Chrome. Now, you can't do that... you have to go into developer tools, then expand the tabs (security tab is often outside the window, because they moved the developer console to split the screen vertically instead of horizontally) to find security tab, then get the cert info there.

    All domains should have a very very easy way to see both versions (the unicode/punycode version, and the localized version). Some options:
    * right click on the domain, include both in that menu
    * mouse over the domain, show alt version in the status bar (bring back the status bar!)
    * mouse over the domain, include alt version in mousever text
    * include both on the location bar (one in parenthesis). Eg. [lock icon] Secure | [www.xn--80ak6aa92e.com] https://www./.com/
    * ... or vice-versa: Eg. [lock icon] Secure | [www..com] https://www.xn--80ak6aa92e.com...
    * add a little colored (red?) icon next to the name if punycode is in use. Mouseover on it would display info saying what that did. Clicking it would remove/add the decoding. IE: display the decoded localized characters by default; click the red dot to display the punycode; click again to go back to localized; set a preference from the right click menu on the red dot.

    This isn't something that can be definitively solved programmaticly. It's still a case of tricking users. Just give the users the info they need so they can make a fair decision. The real DNS name is the fully encoded one (ex. xn--80ak6aa92e.com), not the one decoded from that, so please make that readily available to the user. IMO, displaying the localized text should be an added feature, not the primary display.

  11. TEN YEARS by Khyber · · Score: 1

    An easy phishing exploit, left untouched for ten years.

    Does Google not bother hiring black hats to check for this kind of stuff? It's obvious their white-hats have no BOFH credentials.

    --
    Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
  12. Actually Chrome 58 by campuscodi · · Score: 1

    It will get a fix in Chrome 59, not 59. There's already a fix in Chrome Canary 59. But the stable branch will get it by the end of the month.

  13. Re:We never learn do we? by EmeraldBot · · Score: 1

    The parent comment should be modded up. It may not be "politically correct" from a leftist's perspective, but it is very relevant to this discussion.

    Damn, it's completely obvious what a racist tirade against multicuturalism has to do with a zero day involving a Unicode exploit. The next time a cow shits, is that going to be taken as an example of the failings of multiculturalism?

    I'm fluent in three languages, so I can appreciate the need for internationalization and localization for those who need it. Nobody is saying internationalization and localization shouldn't be supported. What we're saying is that it should be trivial to disable them when they aren't needed.

    No, your parent CLEARLY states, and I quote, "Let's not do the same thing with browsers please.", in an implied response to supporting multiple languages. So not only is your position ridiculous for someone who supposedly knows three languages, a violation of your parent's claims, you didn't even bother to read his fucking message.

    For example, I don't know Chinese, and I don't expect to ever learn it. The same goes for Arabic, Korean, Japanese, and the various languages of India that don't use Latin or Latin-like alphabets. I would love to be able to disable these languages in my browser, or at least be given a warning before they're used. Since I don't understand them, there's no legitimate reason for me to ever see content in them, at least not without a warning.

    For what benefit? Why should the browser designers add in a layer to check for foreign localization, and store a setting, when the only possible impact is you seeing characters you don't understand? The end result is the same anyway - you'll get an effectively useless webpage. Do you not want to see Chinese characters because they'll steal your job and take your kids or what??? You're proposing a solution that just adds work for everyone else all so you don't have to see scary foreign characters, and it wouldn't even work at all for languages like French or German that use the same character set.

    I'd like to take it a step beyond that. I'd like it if my browser could automatically block all content hosted at TLDs or IP addresses associated with third-world ("developing", for the politically correct crowd) nations. After decades of Internet use, I have never had any reason to view content hosted in China, or India, or any African nation. And if I ever did have a legitimate reason to access content from such areas, I would prefer to opt in to viewing it.

    Alright. We are going to maintain an international IP address, which apparently we are supposed to update on our own time, to isolate you from the non-specified dangers of China, which means you will no longer be able to use any Amazon or Google instance located their. Oh, and I expect you think this should all be done by somebody else too. You are one of the most childishly self-centered assholes on this page, and a racist one at that (and yes, not wanting to see an African webpage because they're black is racist, and you are on the same level as a white southerner in the 1800's, citing the very same intelligent points - which is to say, none at all).

    Disabling text and content from these third-world places wouldn't just make my browsing experience more enjoyable, it would also make it safer. I'd lose out on very little by disabling internationalization and localization, and I'd actually gain a whole lot.

    You would gain absolutely nothing. We as a community, however, would gain tremendously, because now we can simply post a Chinese character and we will never again have to worry about you wandering in here.

    --
    "Set a man a fire, he'll be warm for the rest of the night. Set a man afire, he'll be warm for the rest of his life."
  14. The problem with .com really by cardiology · · Score: 1

    IMHO it's the problem with .com domain policy – no top level domain should allow the use of different scripts/alphabets. Countries using cyrillic don't allow using cyrillic IDN domains under .ru and .bg for example, there are . and . for that. In the same way .com should allow ASCII only. Yes, there is theoretically homographs problem with top level domains as well, but it is realistically controllable.

  15. Re:So what's the fix? by unrtst · · Score: 1

    :-( I should have previewed that comment.
    The two examples I provided should have been:

    * include both on the location bar (one in parenthesis). Eg. [lock icon] Secure | [www.xn--80ak6aa92e.com] https://www.apple.com/
    * ... or vice-versa: Eg. [lock icon] Secure | [www.apple.com] https://www.xn--80ak6aa92e.com/

    NOTE: in the above, the word "apple" would be the phishing version with the "l" replaced by a unicode character, or the "a" replaced by the greek "a", but slashdot doesn't like unicode, so I just entered the ascii versions. IE. use your imagination :-)

  16. Re:59??? my chrome is 57 by tobiasly · · Score: 1

    My mac tells me it's running version 57.___ and it is up to date. So how long do I have to wait for 59?

    Probably about 3 months. Beta is the next version, Dev is weekly build, Canary is nightly build. Stable releases are every 6 weeks.

    https://www.chromium.org/getti...