New issue
Advanced search Search tips
Starred by 4 users

Issue metadata

Status: Fixed
Owner:
Closed: Jan 13
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Android , Windows , iOS , Chrome , Mac , Fuchsia
Pri: 1
Type: Bug-Security
Team-Security-UX



Sign in to add a comment

Security: IDN URL Spoofing with using "U+00FE"

Reported by chromium...@gmail.com, Jan 3 Back to list

Issue description

VERSION
Chrome Version: 65.0.3310.0 
Operating System: All

REPRODUCTION CASE
PoC: http://xn--wikiedia-s6a.com/

wikiþedia.com >> wikiþedia.com

Chrome does not block it.
 
Screen Shot 2018-01-03 at 23.48.09.png
86.1 KB View Download
Components: UI>Security>UrlFormatting
Labels: Security_Severity-Medium Security_Impact-Stable OS-Android OS-Chrome OS-Fuchsia OS-iOS OS-Linux OS-Mac OS-Windows Pri-1
Owner: js...@chromium.org
Status: Assigned (was: Unconfirmed)
Project Member

Comment 2 by sheriffbot@chromium.org, Jan 4

Labels: M-64
Also U+00DE þaypal.com appears to be registered.
U+00DE cannot be used (it's an uppercase Thorn) while U+00FE can be. 

I'll deal with this along with  bug 793628 . 


Status: Started (was: Assigned)
https://chromium-review.googlesource.com/c/chromium/src/+/860567 is a CL.
Project Member

Comment 6 by bugdroid1@chromium.org, Jan 13

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/fe3c71592ccc6fd6f3909215e326ffc8fe0c35ce

commit fe3c71592ccc6fd6f3909215e326ffc8fe0c35ce
Author: Jungshik Shin <jshin@chromium.org>
Date: Sat Jan 13 01:11:09 2018

Add more confusable character map entries

When comparing domain names with top 10k domain names for confusability,
characters with diacritics are decomposed into base + diacritic marks
(Unicode Normalization Form D) and diacritics are dropped before
calculating the confusability skeleton because two characters with and
without a diacritics is NOT regarded as confusable.

However, there are a dozen of characters (most of them are Cyrillic)
with a diacritic-like mark attached but they are not decomposed into
base + diacritics by NFD (e.g. U+049B, қ; Cyrillic Small Letter Ka
with Descender).  This CL treats them the same way as their "base"
characters. For instance, қ (U+049B) is treated as confusable with
Latin k because к (U+043A; Cyrillic Small Letter Ka) is.

They're curated from the following sets:

[:IdentifierStatus=Allowed:] &  [:Ll:] &
  [[:sc=Cyrillic:] -
  [[\u01cd-\u01dc][\u1c80-\u1c8f][\u1e00-\u1e9b][\u1f00-\u1fff]
  [\ua640-\ua69f][\ua720-\ua7ff]]] &
[:NFD_Inert=Yes:]

[:IdentifierStatus=Allowed:] &  [:Ll:] &
  [[:sc=Latin:] - [[\u01cd-\u01dc][\u1e00-\u1e9b][\ua720-\ua7ff]]] &
[:NFD_Inert=Yes:]

[:IdentifierStatus=Allowed:] &  [:Ll:] & [[:sc=Greek:]] &
[:NFD_Inert=Yes:]

Bug:  793628 , 798892 
Test: components_unittests --gtest_filter=*IDN*
Change-Id: I20c6af13defa295f6952f33d75987e87ce1853d0
Reviewed-on: https://chromium-review.googlesource.com/860567
Commit-Queue: Jungshik Shin <jshin@chromium.org>
Reviewed-by: Eric Lawrence <elawrence@chromium.org>
Reviewed-by: Peter Kasting <pkasting@chromium.org>
Cr-Commit-Position: refs/heads/master@{#529129}
[modify] https://crrev.com/fe3c71592ccc6fd6f3909215e326ffc8fe0c35ce/components/url_formatter/idn_spoof_checker.cc
[modify] https://crrev.com/fe3c71592ccc6fd6f3909215e326ffc8fe0c35ce/components/url_formatter/top_domains/test_domains.list
[modify] https://crrev.com/fe3c71592ccc6fd6f3909215e326ffc8fe0c35ce/components/url_formatter/top_domains/test_skeletons.gperf
[modify] https://crrev.com/fe3c71592ccc6fd6f3909215e326ffc8fe0c35ce/components/url_formatter/url_formatter_unittest.cc

Status: Fixed (was: Started)
Project Member

Comment 8 by sheriffbot@chromium.org, Jan 13

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Labels: reward-topanel
http://xn--wikiedia-s6a.org/ (wikiþedia.org) is now blocked in canary. 

Note that wikiþedia.com is not blocked because wikipedia.com is not in the top domain list. (at the moment, wikipedia.com is redirected to wikipedia.org ; when we update our top domain list, wikipedia.com may be added to the list). 

Oops! Sorry in comment #0 I meant wikiþedia.org not wikiþedia.com.
Labels: -M-64 M-65
Labels: -reward-topanel reward-unpaid reward-500
*** Boilerplate reminders! ***
Please do NOT publicly disclose details until a fix has been released to all our users. Early public disclosure may cancel the provisional reward. Also, please be considerate about disclosure when the bug affects a core library that may be used by other products. Please do NOT share this information with third parties who are not directly involved in fixing the bug. Doing so may cancel the provisional reward. Please be honest if you have already disclosed anything publicly or to third parties. Lastly, we understand that some of you are not interested in money. We offer the option to donate your reward to an eligible charity. If you prefer this option, let us know and we will also match your donation - subject to our discretion. Any rewards that are unclaimed after 12 months will be donated to a charity of our choosing.
*********************************
Labels: -reward-unpaid reward-inprocess
Project Member

Comment 15 by sheriffbot@chromium.org, Feb 8

Labels: Merge-Request-65
Project Member

Comment 16 by sheriffbot@chromium.org, Feb 9

Labels: -Merge-Request-65 Merge-Review-65 Hotlist-Merge-Review
This bug requires manual review: Less than 21 days to go before AppStore submit on M65
Please contact the milestone owner if you have questions.
Owners: cmasso@(Android), cmasso@(iOS), bhthompson@(ChromeOS), govind@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Cc: awhalley@chromium.org
[Bulk Edit]

+awhalley@ (Security TPM) for M65 merge review
Labels: -M-65 -Merge-Review-65 M-66 Merge-Rejected-65
Labels: Release-0-M66
Project Member

Comment 20 by sheriffbot@chromium.org, Apr 21

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: CVE-2018-6098
Labels: CVE_description-missing

Sign in to add a comment