New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 812155 link

Starred by 2 users
Status: Duplicate
Merged: issue 770709
Owner: ----
Closed: Feb 2018
Cc:
mgiuca@chromium.org
creis@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: ----
Type: Bug-Security
Team-Security-UX



Sign in to add a comment

Security: IDN policy bug with ạ

Reported by andreada...@gmail.com, Feb 14 2018 
VULNERABILITY DETAILS

Chrome does not properly show this link: http://www.airfrạnce.com/ (ATTENTION: should be malicious) in punycode format, it contains a latin unicode character the ( ạ , U+1EA1 ) easily confused with a normal a, making users think to visit the real website.

VERSION

Chrome Version: 64.0.3282.167 stable
Operating System: Debian GNU/Linux testing (buster)

Comment 1 by andreada...@gmail.com, Feb 14 2018 

Last Firefox ESR 52.6.0 has the same issue, i'm going to report this to them too.

This is the punycode not shown of the site over: www.xn--airfrnce-rx0d.com

Comment 2 by elawrence@chromium.org, Feb 14 2018

Components: UI>Security>UrlFormatting UI>Internationalization
Mergedinto: 770709
Status: Duplicate (was: Unconfirmed)
Summary: Security: IDN policy bug with ạ (was: Security: IDN policy bug)
Thanks for the report! This is being tracked by  Issue 770709 .
Project Member

Comment 3 by sheriffbot@chromium.org, Aug 25

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 4 by mea...@chromium.org, Oct 19

Labels: idn-spoof

Sign in to add a comment