Issue metadata
Sign in to add a comment
|
It's possible to craft phishing links with kurdish characters in the URL bar bypassing a recently patched security flaw. (see the reference section below)
Reported by
wieser.b...@gmail.com,
Apr 18 2017
|
||||||||||||||||||||
Issue descriptionUserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3074.0 Safari/537.36 Steps to reproduce the problem: 1. Register a domain with a kurdish unicode characters. 2. Create a hyperlink to that page. 3. Browse to the page in chrome. 4. Observe the browser displays the unicode instead of the puny code. What is the expected behavior? Chrome should display the punycode version of the URL instead of the kurdish unicode character. What went wrong? Chrome recently fixed a security issue where unicode characters could be used in phishing attacks. The mitigation however is incomplete. It's possible to bypass the mitigations by using unicode chars from the Kurdish language. For example the following link: www.companîes.com An attacker could register this domain and host a phishing page there. End users would believe they are visting companies.com References: https://www.xudongz.com/blog/2017/idn-phishing/ https://codereview.chromium.org/2683793010 Did this work before? N/A Chrome version: 60.0.3074.0 Channel: canary OS Version: OS X 10.12.4 Flash Version: Shockwave Flash 25.0 r0
,
Jul 26 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 19
|
|||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||
Comment 1 by lgar...@chromium.org
, Apr 19 2017Status: Duplicate (was: Unconfirmed)