New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 773051 link

Starred by 1 user
Status: Duplicate
Merged: issue 726950
Owner:
js...@chromium.org
Closed: Oct 2017
Cc:
mgiuca@chromium.org
creis@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 1
Type: Bug-Security
Team-Security-UX



Sign in to add a comment

Security: Address Bar Spoofing (IDN homograph )

Reported by rbsoulhu...@gmail.com, Oct 9 2017 
Hi Chrome team,

Armenian Small Letter Ho (U+0578) is not being handled correctly resulting in Address bar spoofing. Attached (spoof.png)

հotel.com is not converted into it's punnycode equivalent (xn--otel-uff.com). Apparently firefox's latest version handles it correclty(spoof2.png) 

regards,
Rafay
spoof.png
56.6 KB View Download
spoof2.png
66.5 KB View Download

Comment 1 by och...@chromium.org, Oct 9 2017

Components: UI>Browser>Omnibox UI>Security>UrlFormatting
Labels: Security_Severity-Critical Security_Impact-Stable
Owner: js...@chromium.org
Status: Assigned (was: Unconfirmed)
jshin, could you please take a look?

Comment 2 by och...@chromium.org, Oct 9 2017

Labels: -Security_Severity-Critical Security_Severity-Medium
(sorry, bad autocomplete for severity)
Project Member

Comment 3 by sheriffbot@chromium.org, Oct 10 2017

Labels: M-62
Project Member

Comment 4 by sheriffbot@chromium.org, Oct 10 2017

Labels: Pri-1

Comment 5 by js...@chromium.org, Oct 10 2017

Labels: -Security_Impact-Stable -Security_Severity-Medium -M-62 Security_Severity-Low M-63
Mergedinto: 726950
Status: Duplicate (was: Assigned)
Armenian is not allowed to mix with Latin in ToT (M63-to-be). See  bug 726950  . 

The risk is low because major gTLDs and ccTLDs do not allow the registration of domains mixing Armenian and Latin. So, an example domain in the bug report cannot be registered.
Project Member

Comment 6 by sheriffbot@chromium.org, Jan 17 2018

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 7 by mea...@chromium.org, Oct 19

Labels: idn-spoof

Sign in to add a comment