New issue
Advanced search Search tips

Issue 762909 link

Starred by 2 users
Status: WontFix
Owner: ----
Closed: Sep 2017
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: ----
Type: Bug-Security



Sign in to add a comment

Security: IDN homograph attack on latest Chrome Browser

Reported by r...@itsec.pro, Sep 7 2017 
VULNERABILITY DETAILS
Chrome doesn't show any security warning when homograph symbols "ḳ" (1E33), "ṇ"(1E47), "ḅ" (1E05) are used in URL.
Punycode also is not shown. 
This can be used for phishing attacks. 

Example: facebooḳ.com (notice "K with dot" at the end), caṇon.com (notice n with dot in the middle).

VERSION
Chrome Version: tested on latest desktop and mobile
Operating System: Windows 10, Android 6.0.1

REPRODUCTION CASE
copy and paste those URL in a brower.
facebooḳ.com, caṇon.com

Notice that no punycode is shown.

ADDITIONAL VECTOR
No Gmail warning is shown when user receives email from that domains. This can be used for phishing.

Comment 1 by elawrence@chromium.org, Sep 7 2017

Components: UI>Browser>Omnibox UI>Internationalization
Labels: Needs-Feedback
On which Chrome version specifically did you have this problem?

facebooḳ.com and caṇon.com both render in Punycode (With the xn-- prefix) in Chrome 61.3163 and 63.3207.

Comment 2 by mea...@chromium.org, Sep 12 2017

Status: WontFix (was: Unconfirmed)
I also see these domains in punycode.

root@itsec.pro: Can you please clarify which Chrome version you were testing with? In the meanwhile, I'm going to close this as WontFix, but happy to reopen if you have more information. Thanks.
Project Member

Comment 3 by sheriffbot@chromium.org, Dec 20 2017

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 4 by mea...@chromium.org, Oct 19

Labels: idn-spoof

Sign in to add a comment