New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 756226 link

Starred by 3 users

Issue metadata

Status: Fixed
Owner:
Closed: Oct 2017
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows , Mac
Pri: 2
Type: Bug-Security
Team-Security-UX

Blocked on:
issue 726950



Sign in to add a comment

Security: URL spoofing with Armenian characters

Reported by chromium...@gmail.com, Aug 16 2017

Issue description

VERSION
Chrome Version: 62.0.3187.0 (Official Build) canary (64-bit)
Operating System: Mac

REPRODUCTION CASE

Some examples: 

http://xn--youtobe-bmi.com/

http://xn--aypal-keg.com/
 
Repro on Windows.
screenshot.png
38.6 KB View Download
Components: UI>Security>UrlFormatting UI>Internationalization
Owner: js...@chromium.org
Summary: Security: URL spoofing with Armenian characters (was: Security: Near-Armenian confusable domain label spoofing)

Comment 3 by rsesek@chromium.org, Aug 17 2017

Labels: Security_Severity-Medium Security_Impact-Stable OS-Mac OS-Windows Pri-1
Status: Assigned (was: Unconfirmed)
Project Member

Comment 4 by sheriffbot@chromium.org, Aug 18 2017

Labels: M-61

Comment 5 by js...@chromium.org, Aug 21 2017

Labels: -Security_Severity-Medium Security_Severity-Low
Two example domains cannot be registered. See 

https://www.verisign.com/en_US/channel-resources/domain-registry-products/idn/idn-policy/registration-rules/index.xhtml
Project Member

Comment 6 by sheriffbot@chromium.org, Aug 22 2017

Labels: -Pri-1 Pri-2

Comment 7 by js...@chromium.org, Aug 29 2017

Blockedon: 726950
Labels: -M-61
Project Member

Comment 8 by bugdroid1@chromium.org, Oct 4 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/fd34ee82420c5e5cb04459d6e381944979d8e571

commit fd34ee82420c5e5cb04459d6e381944979d8e571
Author: Jungshik Shin <jshin@chromium.org>
Date: Wed Oct 04 23:25:49 2017

Change the script mixing policy to highly restrictive

The current script mixing policy (moderately restricitive) allows
mixing of Latin-ASCII and one non-Latin script (unless the non-Latin
script is Cyrillic or Greek).

This CL tightens up the policy to block mixing of Latin-ASCII and
a non-Latin script unless the non-Latin script is Chinese (Hanzi,
Bopomofo), Japanese (Kanji, Hiragana, Katakana) or Korean (Hangul,
Hanja).

Major gTLDs (.net/.org/.com) do not allow the registration of
a domain that has both Latin and a non-Latin script. The only
exception is names with Latin + Chinese/Japanese/Korean scripts.
The same is true of ccTLDs with IDNs.

Given the above registration rules of major gTLDs and ccTLDs, allowing
mixing of Latin and non-Latin other than CJK has no practical effect. In
the meantime, domain names in TLDs with a laxer policy on script mixing
would be subject to a potential spoofing attempt with the current
moderately restrictive script mixing policy. To protect users from those
risks, there are a few ad-hoc rules in place.

By switching to highly restrictive those ad-hoc rules can be removed
simplifying the IDN display policy implementation a bit.

This is also coordinated with Mozilla. See
https://bugzilla.mozilla.org/show_bug.cgi?id=1399939 .

BUG= 726950 ,  756226 ,  756456 ,  756735 ,  770465 
TEST=components_unittests --gtest_filter=*IDN*

Change-Id: Ib96d0d588f7fcda38ffa0ce59e98a5bd5b439116
Reviewed-on: https://chromium-review.googlesource.com/688825
Reviewed-by: Brett Wilson <brettw@chromium.org>
Reviewed-by: Lucas Garron <lgarron@chromium.org>
Commit-Queue: Jungshik Shin <jshin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#506561}
[modify] https://crrev.com/fd34ee82420c5e5cb04459d6e381944979d8e571/components/url_formatter/idn_spoof_checker.cc
[modify] https://crrev.com/fd34ee82420c5e5cb04459d6e381944979d8e571/components/url_formatter/url_formatter_unittest.cc

Comment 9 by js...@chromium.org, Oct 4 2017

Status: Fixed (was: Assigned)

Comment 10 Deleted

Project Member

Comment 11 by sheriffbot@chromium.org, Oct 5 2017

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Labels: reward-topanel
Historically, we've ranked IDN spoofs at Severity Medium, although this one was partially mitigated by the fact that ".com" limits mixing with Armenian. The VRP should still take a look.

Comment 13 by js...@chromium.org, Oct 13 2017

Cc: markda...@google.com sffc@google.com
Reported domains cannot be registered in com/net/org and ccTLDs accepting Armenian domains. 

Labels: -reward-topanel reward-0
I'm afraid the panel declined to award for this bug.
Labels: Release-0-M63 M-63
Labels: CVE-2017-15424
Project Member

Comment 17 by sheriffbot@chromium.org, Jan 11 2018

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: CVE_description-missing
Labels: -CVE_description-missing CVE_description-submitted
Labels: idn-spoof

Sign in to add a comment