New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 724740 link

Starred by 2 users
Status: Duplicate
Merged: issue 703750
Owner: ----
Closed: May 2017
Cc:
js...@chromium.org
mgiuca@chromium.org
creis@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: ----
Type: Bug-Security
Team-Security-UX



Sign in to add a comment

Security: Near homograph URL spoofing via latin small letter a with dot below (U+1EA1)

Reported by tahir.vb...@gmail.com, May 20 2017 

NOTE: Security bugs are normally made public once a fix has been widely
deployed.

VULNERABILITY DETAILS
Hi I found and very critical security vulnerability in chrome Desktop and android mobile browser platform. vulnerability is very simple and critical.
VERSION. In this vulnerability If User Type or click special crafted url in address bar then it will redirect to fake phishing website but on chrome address bar, URL of the website will exactly URL of original website.
Chrome Version: 58.0.3029.110
Operating System: Windows 7

Chrome Version: 57.0.2987.132
Operating System: Android 5.1.1

REPRODUCTION CASE:
To Reproduce this case For example attacker send this URL to Victim: http://xn--whatspp-en4c.com   if user click on this, it will goes to fake website and Browser address bar will show real whatsapp.com url but website is not actually whatsapp.com. I also attached the videos for both android and windows
chrome.mp4
5.1 MB View Download
Record_20_5_2017_9_38_37.mp4
20.8 MB Download

Comment 1 by tahir.vb...@gmail.com, May 20 2017 

whatsapp is only example if you want to craft another website you can also use this bug

Comment 2 by elawrence@chromium.org, May 20 2017

Cc: js...@chromium.org
Components: UI>Security>UrlFormatting
Status: Untriaged (was: Unconfirmed)
Summary: Security: Near homograph URL spoofing via latin small letter a with dot below (U+1EA1) (was: Security: Address bar spoofing and website URL masking)

Comment 3 by tahir.vb...@gmail.com, May 20 2017 

Sorry I did not get it you are saying? Are you requiring more information?

Comment 4 by mgiuca@chromium.org, May 22 2017

Mergedinto: 703750
Status: Duplicate (was: Untriaged)
Same as  Issue 703750  (only a different character; this uses U+1EA1 whereas that uses U+1E43).

Note: If reporting a spoofing vulnerability, if you are the owner of the spoof site, it is best if you put up a simple page explaining that this is not a real site, rather than attempting to copy the appearance of the legitimate site. We will still recognise the spoofing possibility, and you avoid the risk of actually deceiving people.
Project Member

Comment 5 by sheriffbot@chromium.org, Aug 28 2017

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 6 by mea...@chromium.org, Nov 8

Labels: idn-spoof

Sign in to add a comment