New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 2 users

Issue metadata

Status: Verified
Owner:
Closed: Feb 2018
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Android , Windows , iOS , Chrome , Mac , Fuchsia
Pri: 1
Type: Bug-Security
Team-Security-UX



Sign in to add a comment

Security: IDN URL Spoofing with using ŋ (U+014B)

Reported by chromium...@gmail.com, Feb 2 2018

Issue description

VERSION
Chrome Version: 66.0.3336.0 (Official Build) canary (64-bit)
Operating System: All

REPRODUCTION CASE

- Load http://xn--istagram-irb.com

Similar to  bug 798892 .

This ŋ (U+014B) is regarded as similar to Latin small letter N, so it should be blocked, but I could be wrong.

 
Screen Shot 2018-02-02 at 04.18.31.png
94.1 KB View Download
Cc: js...@chromium.org
Components: UI>Security>UrlFormatting UI>Internationalization
Labels: OS-Android OS-Chrome OS-Fuchsia OS-iOS OS-Linux OS-Mac OS-Windows
Status: Untriaged (was: Unconfirmed)
Cc: -js...@chromium.org markda...@google.com creis@chromium.org jdonnelly@chromium.org
Labels: Security_Severity-Medium M-65 Security_Impact-Stable Pri-1
Owner: js...@chromium.org
Status: Assigned (was: Untriaged)
Summary: Security: IDN URL Spoofing with using ŋ (U+014B) (was: Security: IDN URL Spoofing with using ŋ (U+014B))
Assigning to jshin per go/url-spoofs.

Comment 3 by js...@chromium.org, Feb 3 2018

> This ŋ (U+014B) is regarded as similar to Latin small letter N, 

Well, the current Unicode data does not. It has to be added to Chrome's
Supplementary list to be regarded as similar.

Comment 4 by js...@chromium.org, Feb 14 2018

Cc: sffc@google.com bstell@google.com
Status: Started (was: Assigned)
Project Member

Comment 6 by bugdroid1@chromium.org, Feb 15 2018

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/37747f4a4972e6d44d3f956f8d3a63255ef0941a

commit 37747f4a4972e6d44d3f956f8d3a63255ef0941a
Author: Jungshik Shin <jshin@chromium.org>
Date: Thu Feb 15 06:56:39 2018

Add more entries to the confusability mapping

U+014B (ŋ) => n
U+1004 (င) => c
U+100c (ဌ) => g
U+1042 (၂) => j
U+1054 (ၔ) => e

Bug:  811117 , 808316 
Test: components_unittests -gtest_filter=*IDN*
Change-Id: I29f73c48d665bd9070050bd7f0080563635b9c63
Reviewed-on: https://chromium-review.googlesource.com/919423
Reviewed-by: Peter Kasting <pkasting@chromium.org>
Commit-Queue: Jungshik Shin <jshin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#536955}
[modify] https://crrev.com/37747f4a4972e6d44d3f956f8d3a63255ef0941a/components/url_formatter/idn_spoof_checker.cc
[modify] https://crrev.com/37747f4a4972e6d44d3f956f8d3a63255ef0941a/components/url_formatter/top_domains/test_domains.list
[modify] https://crrev.com/37747f4a4972e6d44d3f956f8d3a63255ef0941a/components/url_formatter/top_domains/test_skeletons.gperf
[modify] https://crrev.com/37747f4a4972e6d44d3f956f8d3a63255ef0941a/components/url_formatter/url_formatter_unittest.cc

Verified on 66.0.3349.0. Thanks as ever!

Comment 8 by js...@chromium.org, Feb 19 2018

Labels: Merge-Request-65
Status: Verified (was: Started)
Verified in 66.0.3350 as well. Thank you for verifying. 

http://xn--istagram-irb.com/  is shown in punycode instead of iŋstagram.com . 

Requesting for merge to M-65 branch. 

The el recorded in comment 6 is simple (adding a few extra mapping entries) and safe. 

Project Member

Comment 9 by sheriffbot@chromium.org, Feb 19 2018

Labels: -Merge-Request-65 Merge-Review-65 Hotlist-Merge-Review
This bug requires manual review: Less than 11 days to go before AppStore submit on M65
Please contact the milestone owner if you have questions.
Owners: cmasso@(Android), cmasso@(iOS), bhthompson@(ChromeOS), govind@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 10 by sheriffbot@chromium.org, Feb 19 2018

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Cc: awhalley@chromium.org
+ awhalley@ (Security TPM) for M65 merge review
Labels: reward-topanel
Labels: -M-65 -Merge-Review-65 M-66 Merge-Rejected-65
Labels: -reward-topanel reward-0
I'm afraid the VRP panel declined to award for this one. Thanks for the report, as ever :-)
Labels: Release-0-M66
Labels: CVE-2018-6107
Labels: CVE_description-missing
Project Member

Comment 18 by sheriffbot@chromium.org, May 28

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment