Issue metadata
Sign in to add a comment
|
Security: IDN displayed instead of Punycode in some cases?
Reported by
pvishal...@gmail.com,
Feb 5 2018
|
||||||||||||||||||||||||
Issue descriptionThis template is ONLY for reporting security bugs. If you are reporting a Download Protection Bypass bug, please use the "Security - Download Protection" template. For all other reports, please use a different template. Please READ THIS FAQ before filing a bug: https://chromium.googlesource.com /chromium/src/+/master/docs/security/faq.md Please see the following link for instructions on filing security bugs: https://www.chromium.org/Home/chromium-security/reporting-security-bugs NOTE: Security bugs are normally made public once a fix has been widely deployed. VULNERABILITY DETAILS Please provide a brief explanation of the security issue. Hi team, i get to know about punnycode. so i tried to enter punnycode website into message as per PoC. i can use http://xn--eby-7cd.com/ (but it not ebay.com). The problem arises in the fact that similar characters are hard to distiguish from each other. While a Cyrillic small letter "a" (Unicode character U+0430) is different from a Latin small letter "a" (U+0061), in a vulnerable browser they look the same when the Punycode is interpreted. Therefore, the owner of the domain name xn--80ak6aa92e.com, which is displayed as "apple.com" could create a convincing phishing site. as i shown in PoC it's under other information. so any other user will see that website and click on that it redirect to malicious websites. because there is no validation from sqaure as well as there is no intermediate message (eg. you are redirecting to http://xn--eby-7cd.com/) Here, i can see in redirect value as well you are not putting http://xn--eby-7cd.com/ , but it's showing punnycode website. so, victim get to know that it is different website. ex: http://xn--eby-7cd.com/ ->>>> http://xn--eby-7cd.com/ https://en.wikipedia.org/wiki/IDN_homograph_attack https://www.charset.org/pages/punycode.php? decoded=ma%C3%B1ana.com&encode=Normal+text+to+Punycode#results VERSION Latest chrome in windows 7 Operating System: [Please indicate OS, version, and service pack level] Windows 7 REPRODUCTION CASE Please include a demonstration of the security bug, such as an attached HTML or binary file that reproduces the bug when loaded in Chrome. PLEASE make the file as small as possible and remove any content not required to demonstrate the bug. 1) for http://ebаy.com/ you are redirecting to correct one. 2) but for https://www.短.com/ I can't see any correct redirect , it should convert to https://www.xn--s7y.com Please let me know for any help to fix this issue. Thanks, Vishal
,
Feb 5 2018
Chrome's IDN behavior is described in this document: https://www.chromium.org/developers/design-documents/idn-in-google-chrome
,
May 14 2018
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||||
Comment 1 by elawrence@chromium.org
, Feb 5 2018Status: WontFix (was: Unconfirmed)
Summary: Security: IDN displayed instead of Punycode in some cases? (was: Security: Punny code allowed (Bypassed))