New issue
Advanced search Search tips

Issue 725584 link

Starred by 1 user
Status: WontFix
Owner: ----
Closed: May 2017
Cc:
kenrb@chromium.org
js...@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: ----
Type: Bug-Security



Sign in to add a comment

IDN Phishing: Spoofing HTTPS and LOCK with emoticons in domain name

Reported by whitepen...@gmail.com, May 23 2017 
VULNERABILITY DETAILS

I would like to report potentially new phishing method.
There is possibility to use emoticons in domain names for phishing purposes.

An attackers can register a domain in the structure (or create subdomain on their own servers):
[LOCK]https[colon][double_slash]google.DOMAIN

VERSION
Chrome Version: 58.0.3029.110 (64-bit)
Operating System: Mac OS 10.12.5

REPRODUCTION CASE
For example: www.xn--httpsgoogle-fi0d042oo215i.wien
I added screenshot in attachment.
www_xn--httpsgoogle-fi0d042oo215i_wien.jpg
116 KB View Download

Comment 1 by kenrb@chromium.org, May 23 2017

Cc: js...@chromium.org
Thanks for the report. When I try to display that URL I see punycode (as I would have expected). It isn't clear to me how the IDN policy would display that URL in unicode in your case.

jshin@: Can you comment on this?

Comment 2 by js...@chromium.org, May 23 2017 

It's displayed in Punycode as expected. 

I guess this is not about the URL display, but about the 3rd line in the output ( Search Google for .... ). 

------------cut------here--------------------
This site can’t be reached

www.xn--httpsgoogle-fi0d042oo215i.wien’s server DNS address could not be found.

Search Google for 🔒https᛬⑊google wien    <====  this line

ERR_NAME_NOT_RESOLVED
-----------------------------

I doubt that can be an attack vector.

Comment 3 by kenrb@chromium.org, May 23 2017

Labels: Needs-Feedback
The submitted screenshot shows an IDN in the omnibox.

@whitepenetrationtester: How did you make that display? IDN policy is supposed to prevent that, and we can't confirm this bug without a way to reproduce it.

Comment 4 by whitepen...@gmail.com, May 23 2017 

Hi,

I will try to reproduce it on other Mac - maybe I have some "special" fonts that make this bug.

Best Regards
Project Member

Comment 5 by sheriffbot@chromium.org, May 23 2017

Cc: kenrb@chromium.org
Labels: -Needs-Feedback
Thank you for providing more feedback. Adding requester "kenrb@chromium.org" to the cc list and removing "Needs-Feedback" label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 6 by js...@chromium.org, May 24 2017

Components: UI>Browser>Omnibox
The only way to get the screenshot attached to the bug report is 

1. Go to www.xn--httpsgoogle-fi0d042oo215i.wien

2. Copy and paste the string in the page "🔒https᛬⑊google wien" to the omnibox

3. Take a screenshot 

So, this should be invalid. 

> maybe I have some "special" fonts that make this bug.

You need a very special font with a rather sophisticated opentype GSUB table to display 
www.xn--httpsgoogle-fi0d042oo215i.wien as if it is 🔒https᛬⑊google wien . 

If somebody hacked your Mac to hacked the primary UI font on Mac to have such a GSUB table, there are more things to worry about than this issue. 

I suggest resolving this as invalid.

Comment 7 by kenrb@chromium.org, May 24 2017

Status: WontFix (was: Unconfirmed)
To the reporter: If there is something we missed then we can re-open, but I'm closing this for now since this doesn't look like a bug.
Project Member

Comment 8 by sheriffbot@chromium.org, Aug 30 2017

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 9 by mea...@chromium.org, Oct 19

Labels: idn-spoof

Sign in to add a comment