New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 773051 link

Starred by 1 user

Issue metadata

Status: Duplicate
Merged: issue 726950
Owner:
Closed: Oct 2017
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 1
Type: Bug-Security
Team-Security-UX



Sign in to add a comment

Security: Address Bar Spoofing (IDN homograph )

Reported by rbsoulhu...@gmail.com, Oct 9 2017

Issue description

Hi Chrome team,

Armenian Small Letter Ho (U+0578) is not being handled correctly resulting in Address bar spoofing. Attached (spoof.png)

հotel.com is not converted into it's punnycode equivalent (xn--otel-uff.com). Apparently firefox's latest version handles it correclty(spoof2.png) 

regards,
Rafay
 
spoof.png
56.6 KB View Download
spoof2.png
66.5 KB View Download
Components: UI>Browser>Omnibox UI>Security>UrlFormatting
Labels: Security_Severity-Critical Security_Impact-Stable
Owner: js...@chromium.org
Status: Assigned (was: Unconfirmed)
jshin, could you please take a look?
Labels: -Security_Severity-Critical Security_Severity-Medium
(sorry, bad autocomplete for severity)
Project Member

Comment 3 by sheriffbot@chromium.org, Oct 10 2017

Labels: M-62
Project Member

Comment 4 by sheriffbot@chromium.org, Oct 10 2017

Labels: Pri-1

Comment 5 by js...@chromium.org, Oct 10 2017

Labels: -Security_Impact-Stable -Security_Severity-Medium -M-62 Security_Severity-Low M-63
Mergedinto: 726950
Status: Duplicate (was: Assigned)
Armenian is not allowed to mix with Latin in ToT (M63-to-be). See  bug 726950  . 

The risk is low because major gTLDs and ccTLDs do not allow the registration of domains mixing Armenian and Latin. So, an example domain in the bug report cannot be registered. 




Project Member

Comment 6 by sheriffbot@chromium.org, Jan 17 2018

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: idn-spoof

Sign in to add a comment