New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 731745 link

Starred by 1 user
Status: Duplicate
Merged: issue 703750
Owner: ----
Closed: Jun 2017
Cc:
js...@chromium.org
mgiuca@chromium.org
creis@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: ----
Type: Bug-Security
Team-Security-UX



Sign in to add a comment

URL Spoofing via latin dotless i with dot above

Reported by rayyan...@gmail.com, Jun 9 2017 
https://www.xn--gmal-nza43z.com/ (does not show in punnycode)

What went wrong?
By adding "ı̇" we can actually spoof the URL 

More info:

(latin small letter dotless i with dot above)
 
<U+0131, U+0307>

Comment 1 by elawrence@chromium.org, Jun 9 2017

Cc: js...@chromium.org
Components: UI>Security>UrlFormatting UI>Internationalization
Summary: URL Spoofing via latin dotless i with dot above (was: URL Spoofing )
Repro's in Chrome 58, but does not in Chrome 61, suggesting that this was fixed by one of the many recent changes in this area.

Comment 2 by lgar...@chromium.org, Jun 9 2017

Mergedinto: 703750
Status: Duplicate (was: Unconfirmed)
Indeed, this was addressed in https://chromium.googlesource.com/chromium/src/+/a586e96794b89bef4729b33369b8c2035564d376

Comment 3 Deleted

Comment 4 by rayyan...@gmail.com, Jun 9 2017 

I think the bug doesn't reproduce in 61 because the dotless i (  Issue 703750  ) is fixed. However, we can still spoof the URL with i and a dot. Can you check if this reproduces in Chrome 61?

http://xn--gmail-bgd.com/ (latin small letter i with dot above)
PoC.png
14.3 KB View Download
PoC1.png
4.7 KB View Download

Comment 5 by elawrence@chromium.org, Jun 12 2017 

The URL mentioned in #4 renders in Punycode.
Project Member

Comment 6 by sheriffbot@chromium.org, Sep 16 2017

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 7 by mea...@chromium.org, Oct 19

Labels: idn-spoof

Sign in to add a comment