New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 4 users

Issue metadata

Status: Fixed
Owner:
Closed: Jan 3
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Android , Windows , Chrome , Mac , Fuchsia
Pri: 1
Type: Bug-Security



Sign in to add a comment

Security: Whole-script confusable domain label spoofing (Cyrillic)

Reported by chromium...@gmail.com, Oct 12 2017

Issue description

VERSION
Chrome Version: 63.0.3236.0 (Official Build) canary (64-bit)
Operating System: Mac

REPRODUCTION CASE

http://xn--c1ad2baa8a0g.com >> \u0442\u0448\u0456\u0442\u0442\u0435\u0433.com >> тшіттег.com 
 
Cc: js...@chromium.org
Components: UI>Browser>Omnibox UI>Internationalization
Status: Untriaged (was: Unconfirmed)
Windows10-Chrome63.png
7.6 KB View Download

Comment 2 by wfh@chromium.org, Oct 12 2017

Labels: Security_Severity-Low Security_Impact-Stable
Project Member

Comment 3 by sheriffbot@chromium.org, Oct 13 2017

Labels: Pri-2

Comment 4 by kenrb@chromium.org, Oct 17 2017

 Issue 774253  has been merged into this issue.
Another example: http://www.xn--80aj7b8a.com >> еьау.com 

Interesting that this domain appears to be registered for real.
This is similar to  issue 683314  and  issue 714628 .
Cc: calderon...@gmail.com

Comment 8 by palmer@chromium.org, Oct 27 2017

Cc: mgiuca@chromium.org
Labels: -Pri-2 -Security_Severity-Low M-64 Security_Severity-Medium OS-Android OS-Chrome OS-Fuchsia OS-Linux OS-Mac OS-Windows Pri-1
Owner: js...@chromium.org
Status: Assigned (was: Untriaged)
jshin, can you take this or find a good person for it?
Project Member

Comment 9 by sheriffbot@chromium.org, Oct 27 2017

jshin: Uh oh! This issue still open and hasn't been updated in the last 15 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Cc: -js...@chromium.org markda...@google.com sffc@google.com
тшіттег.com :  hmm.... how similar/confusable is this to twitter.com ? 

еьау.com  :  how about this ?  

> Interesting that this domain appears to be registered for real.

Because еьау is entirely made of Cyrillic letters, registrars do not block it. 


To block the above two, 'т' and 'ь' have to be added to the confusability set. 
Yes, my bug (774253) has been marked as a duplicate but I could register шнатѕарр.com.


Project Member

Comment 12 by sheriffbot@chromium.org, Nov 16 2017

jshin: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 13 by js...@chromium.org, Nov 18 2017

The confusables list for 'tw' and 'тш'

https://unicode.org/cldr/utility/confusables.jsp?a=%D1%82%D1%88+tw&r=None


Comment 14 by js...@chromium.org, Nov 18 2017

The confusable list for "шнѕ' ad  'whs' . 

https://unicode.org/cldr/utility/confusables.jsp?a=%D1%88%D0%BD%D1%95+whs&r=None


Project Member

Comment 15 by bugdroid1@chromium.org, Dec 5 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/b3f0207c14fccc11aaa9d4975ebe46554ad289cb

commit b3f0207c14fccc11aaa9d4975ebe46554ad289cb
Author: Jungshik Shin <jshin@chromium.org>
Date: Tue Dec 05 09:35:25 2017

Add a few more confusable map entries

1. Map Malaylam U+0D1F to 's'.
2. Map 'small-cap-like' Cyrillic letters to "look-alike" Latin lowercase
letters.

The characters in new confusable map entries are replaced by their Latin
"look-alike" characters before the skeleton is calculated to compare with
top domain names.

Bug:  784761 , 773930 
Test: components_unittests --gtest_filter=*IDNToUni*
Change-Id: Ib26664e21ac5eb290e4a2993b01cbf0edaade0ee
Reviewed-on: https://chromium-review.googlesource.com/805214
Reviewed-by: Peter Kasting <pkasting@chromium.org>
Commit-Queue: Jungshik Shin <jshin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#521648}
[modify] https://crrev.com/b3f0207c14fccc11aaa9d4975ebe46554ad289cb/components/url_formatter/idn_spoof_checker.cc
[modify] https://crrev.com/b3f0207c14fccc11aaa9d4975ebe46554ad289cb/components/url_formatter/idn_spoof_checker.h
[modify] https://crrev.com/b3f0207c14fccc11aaa9d4975ebe46554ad289cb/components/url_formatter/top_domains/alexa_domains.list
[modify] https://crrev.com/b3f0207c14fccc11aaa9d4975ebe46554ad289cb/components/url_formatter/top_domains/alexa_skeletons.gperf
[modify] https://crrev.com/b3f0207c14fccc11aaa9d4975ebe46554ad289cb/components/url_formatter/top_domains/make_alexa_top_list.py
[modify] https://crrev.com/b3f0207c14fccc11aaa9d4975ebe46554ad289cb/components/url_formatter/url_formatter_unittest.cc

Comment 16 Deleted

Verified on 65.0.3291.0 on Mac and Linux. Fixed.

Screen Shot 2017-12-11 at 23.56.23.png
161 KB View Download
Shouldn't be marked as fixed?
A patch has landed but perhaps jshin@ plans to do more work here. 
Status: Fixed (was: Assigned)
Sorry for the delay. For this particular issue, we can declare it to be fixed. 

I asked for merge of the CL in comment 15 in  bug 784761 . 
Project Member

Comment 21 by sheriffbot@chromium.org, Jan 4

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Project Member

Comment 22 by bugdroid1@chromium.org, Jan 5

Labels: merge-merged-3282
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/908ed3e510e06341b8e9143c5e5cea94dad30e30

commit 908ed3e510e06341b8e9143c5e5cea94dad30e30
Author: Jungshik Shin <jshin@chromium.org>
Date: Fri Jan 05 19:46:54 2018

[M64 branch] Add a few more confusable map entries

1. Map Malaylam U+0D1F to 's'.
2. Map 'small-cap-like' Cyrillic letters to "look-alike" Latin lowercase
letters.

The characters in new confusable map entries are replaced by their Latin
"look-alike" characters before the skeleton is calculated to compare with
top domain names.

TBR=jshin@chromium.org

(cherry picked from commit b3f0207c14fccc11aaa9d4975ebe46554ad289cb)

Bug:  784761 , 773930 
Test: components_unittests --gtest_filter=*IDNToUni*
Change-Id: Ib26664e21ac5eb290e4a2993b01cbf0edaade0ee
Reviewed-on: https://chromium-review.googlesource.com/805214
Reviewed-by: Peter Kasting <pkasting@chromium.org>
Commit-Queue: Jungshik Shin <jshin@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#521648}
Reviewed-on: https://chromium-review.googlesource.com/852973
Reviewed-by: Jungshik Shin <jshin@chromium.org>
Cr-Commit-Position: refs/branch-heads/3282@{#421}
Cr-Branched-From: 5fdc0fab22ce7efd32532ee989b223fa12f8171e-refs/heads/master@{#520840}
[modify] https://crrev.com/908ed3e510e06341b8e9143c5e5cea94dad30e30/components/url_formatter/idn_spoof_checker.cc
[modify] https://crrev.com/908ed3e510e06341b8e9143c5e5cea94dad30e30/components/url_formatter/idn_spoof_checker.h
[modify] https://crrev.com/908ed3e510e06341b8e9143c5e5cea94dad30e30/components/url_formatter/top_domains/alexa_domains.list
[modify] https://crrev.com/908ed3e510e06341b8e9143c5e5cea94dad30e30/components/url_formatter/top_domains/alexa_skeletons.gperf
[modify] https://crrev.com/908ed3e510e06341b8e9143c5e5cea94dad30e30/components/url_formatter/top_domains/make_alexa_top_list.py
[modify] https://crrev.com/908ed3e510e06341b8e9143c5e5cea94dad30e30/components/url_formatter/url_formatter_unittest.cc

Labels: reward-topanel
Labels: -reward-topanel reward-unpaid reward-500
*** Boilerplate reminders! ***
Please do NOT publicly disclose details until a fix has been released to all our users. Early public disclosure may cancel the provisional reward. Also, please be considerate about disclosure when the bug affects a core library that may be used by other products. Please do NOT share this information with third parties who are not directly involved in fixing the bug. Doing so may cancel the provisional reward. Please be honest if you have already disclosed anything publicly or to third parties. Lastly, we understand that some of you are not interested in money. We offer the option to donate your reward to an eligible charity. If you prefer this option, let us know and we will also match your donation - subject to our discretion. Any rewards that are unclaimed after 12 months will be donated to a charity of our choosing.
*********************************
Thanks! The VRP Panel decided to reward $500 for this report.  Cheers!
Labels: -reward-unpaid reward-inprocess
Labels: Release-0-M64
Labels: CVE-2018-6042
Project Member

Comment 29 by sheriffbot@chromium.org, Mar 27

Labels: -M-64 M-65
Project Member

Comment 30 by sheriffbot@chromium.org, Apr 12

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: CVE_description-missing

Sign in to add a comment