New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 757180 link

Starred by 1 user
Status: Duplicate
Merged: issue 726950
Owner: ----
Closed: Aug 2017
Cc:
js...@chromium.org
mgiuca@chromium.org
creis@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: ----
Type: Bug-Security
Team-Security-UX



Sign in to add a comment

IDN: URL spoofing via TIBETAN SIGN YANG RTAGS

Reported by rayyan...@gmail.com, Aug 19 2017 
http://xn--facebook-jj2a.com/ (does not show in punnycode)

What went wrong?
By adding this *྇྇ (notice the weird thing above asterisk) we can actually spoof the URL (espicially the inexperienced users)

More info:

U+0F87 - TIBETAN SIGN YANG RTAGS
PoC.png
16.0 KB View Download

Comment 1 by elawrence@chromium.org, Aug 19 2017

Components: UI>Browser>Omnibox UI>Internationalization
Summary: IDN: URL spoofing via TIBETAN SIGN YANG RTAGS (was: URL spoofing via TIBETAN SIGN YANG RTAGS)
This is less compelling on Mac.

Comment 2 by elawrence@chromium.org, Aug 22 2017

Cc: js...@chromium.org

Comment 3 by lgar...@chromium.org, Aug 23 2017

Components: -UI>Internationalization UI>Security>UrlFormatting

Comment 4 by ta...@google.com, Aug 23 2017

Mergedinto: 756866
Status: Duplicate (was: Unconfirmed)

Comment 5 by rayyan...@gmail.com, Aug 23 2017 

would you people mind if I ask you to cc me on the respective case?

Comment 6 by js...@chromium.org, Nov 14 2017

Mergedinto: -756866 726950
Project Member

Comment 7 by sheriffbot@chromium.org, Nov 30 2017

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 8 by mea...@chromium.org, Oct 19

Labels: idn-spoof

Sign in to add a comment