Issue metadata
Sign in to add a comment
|
"paypaI.com" (with an uppercase "i") can pose as paypal.com
Reported by
t...@tobireif.com,
Apr 16 2017
|
||||||||||||||||||||||||
Issue descriptionChrome Version : 57.0.2987.133 OS Version: OS X 10.12.4 URLs (if applicable) : 1. In Chrome's URL bar (with the default font), insert the string "paypal.com" (don't press Enter). It looks OK and is OK. 2. Replace the lower-case "L" with an uppercase "i" (don't press Enter). The URL that could get linked/visited/loaded by an unsuspecting user still looks OK - but it would be the wrong domain. The user who followed a link containing the second URL would enter his/her credentials at a domain that is not the PayPal website. 3. Profit (for the bad guys). What is the expected result? The wrong URL should be clearly discernible. What happens instead of that? The wrong URL looks nearly exactly like the correct URL. Please provide any additional information below. Attach a screenshot if possible. "PayPaI" (with an uppercase "i") can pose as PayPal. This is a security risk. Please (for the URL bar etc) always ensure a font where "l" (lower L) and "I" (upper i) are very different. This is just one example, please consider other cases as well. UserAgentString: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36
,
Apr 17 2017
,
Apr 17 2017
Note that Chrome already corrects these URLs to be lower case once the navigation completes, so it shows up as paypai.com. That's the point at which the user would be checking the green padlock icon, as well. Not sure if it's worth doing anything in the font. pkasting@?
,
Apr 17 2017
Right, I don't think there are Chrome-side issues here |
|||||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||||
Comment 1 by nyerramilli@chromium.org
, Apr 17 2017