Issue metadata
Sign in to add a comment
|
IDN near-homoglyph Attack
Reported by
servergh...@gmail.com,
Apr 5 2017
|
||||||||||||||||||||||||||
Issue descriptionUserAgent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36 Steps to reproduce the problem: 1. First make a html file with the following codes- believe me this is real ask.com -> <a href="http://xn--as-3pa.com">ask.com</a> 2. Now ACCESS that page with Google Chrome and hover the mouse over the ask.com 3. And You will notice that below the link shows it will take me to ask.com , and when i click it , the link takes me to malicious ask.com Also you can go here http://softwareaddictionshow.github.io/IDN-homograph-attack/ and click the fake links What is the expected behavior? As i have noticed how other browser behaves with such delicate stuffs it made me report this issue. Here's what other browsers do - https://drive.google.com/open?id=0Bwevk8cQimnFa2pJUTI4WDQyTWM The "href" contains a malicious link which should also display in the link preview below. But unlike other browsers chrome shows the spoofed address which should never happen. What went wrong? The convertion of punycode is happening before the browser can even show the victim where he is going. Most of the users check's the link preview to see where this link will take me. This way we can easily get away with user's information and many more. Many browsers displays Punycode for IDNs unless the top-level domain (for example TLDs such as .ac or .museum) prevents homograph attacks by restricting which characters can be used in domain names.It also allows users to manually add TLDs to the allowed list. Did this work before? N/A Chrome version: 56.0.2924.87 Channel: n/a OS Version: 10.0 Flash Version:
,
Apr 6 2017
+mgiuca to triage
,
Apr 6 2017
This is related to Issue 683314 , where we address near-perfect Cyrillic spoofing. However, ΔΈ does not have the full vertical stem of k, which makes this more of a duplicate of Issue 703750 (Near-homoglyph whole-script IDN spoofing).
,
Apr 6 2017
I dont think the issue is similar, Since here the "link preview" which tells me where will I go if I click the link, is vulnerable if you create a html file with the following html codes- <a href="http://xn--as-3pa.com/">Ask.com</a> and hover over the link it will show it will take you to ask.com. I'm reporting that issue that should not have happened instead it should have behaved like other browser and letting me know where "href" is sending me. Here all you need is this http://xn--as-3pa.com/ Although you guys know the best
,
Apr 6 2017
> I dont think the issue is similar, Since here the "link preview" which tells me where will I go if I click the link, is vulnerable That is not a security issue, since the site can spoof it anyways: https://www.chromium.org/user-experience/status-bubble I would expect the Chrome Custom Tab used by GMail to follow the same rules as Chrome, so that's not a separate issue.
,
Apr 13 2017
,
Apr 18 2017
,
Jul 13 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 19
|
|||||||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||||||
Comment 1 by servergh...@gmail.com
, Apr 5 201716.8 MB
16.8 MB Download