New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 1 user

Issue metadata

Status: Verified
Owner:
Closed: Feb 2018
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Android , Windows , iOS , Chrome , Mac , Fuchsia
Pri: 1
Type: Bug-Security
Team-Security-UX



Sign in to add a comment
link

Issue 813814: Security: Whole-script confusable domain label spoofing (Cyrillic)

Reported by chromium...@gmail.com, Feb 20 2018

Issue description

VERSION
Chrome Version: 66.0.3350.0 (Official Build) canary (64-bit)
Operating System: All

REPRODUCTION CASE

https://xn--80aa2cah8a7f79b.com is shown https://шӊатѕарр.com

Note: This is similar to  issue 793628 .
 

Comment 1 by elawrence@chromium.org, Feb 20 2018

Cc: js...@chromium.org mgiuca@chromium.org
Components: UI>Security>UrlFormatting UI>Internationalization
Is this a top-10K site?

Comment 2 by chromium...@gmail.com, Feb 20 2018

I think so, since https://xn--80aa1boaj3b9g.com is shown as expected.

Comment 3 by wfh@chromium.org, Feb 20 2018

Labels: Security_Severity-Medium Security_Impact-Stable OS-Android OS-Chrome OS-Fuchsia OS-iOS OS-Linux OS-Mac OS-Windows
Owner: js...@chromium.org
Status: Assigned (was: Unconfirmed)

Comment 4 by js...@chromium.org, Feb 20 2018

Cc: -js...@chromium.org markda...@google.com bstell@google.com
Status: Started (was: Assigned)
Thanks for the report. 

U+04CA (ӊ) was missed in  bug 793628  because it didn't look like capital H with a font (Symbola ) that happenen to render the character in 
https://goo.gl/orKdsQ for the following set. (the Unicode util page specifies a bunch of fonts and the first one covering U+04CA was 'symbola' with a rather unusual shape for U+04CA). 


[:IdentifierStatus=Allowed:] &  [:Ll:] &
  [[:sc=Cyrillic:] -
  [[\u01cd-\u01dc][\u1c80-\u1c8f][\u1e00-\u1e9b][\u1f00-\u1fff]
  [\ua640-\ua69f][\ua720-\ua7ff]]] &
[:NFD_Inert=Yes:]

Comment 5 by sheriffbot@chromium.org, Feb 21 2018

Project Member
Labels: M-65

Comment 6 by sheriffbot@chromium.org, Feb 21 2018

Project Member
Labels: Pri-1

Comment 7 by bugdroid1@chromium.org, Feb 21 2018

Project Member
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/d52b8375cfe5b56194d3df09c18e7b64e5838369

commit d52b8375cfe5b56194d3df09c18e7b64e5838369
Author: Jungshik Shin <jshin@chromium.org>
Date: Wed Feb 21 18:40:39 2018

Add a few more entries to the confusables list for IDN

U+04CA (ӊ) => h
U+0E1F (ฟ) => w
U+0E23 (ร) => s

Bug: 813925,  813814 
Test: components_unittests --gtest_filter=*IDN*
Change-Id: If81ea9bf1c1729f1b6ffc71d718dc5950ac825b5
Reviewed-on: https://chromium-review.googlesource.com/927741
Reviewed-by: Peter Kasting <pkasting@chromium.org>
Commit-Queue: Jungshik Shin <jshin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#538159}
[modify] https://crrev.com/d52b8375cfe5b56194d3df09c18e7b64e5838369/components/url_formatter/idn_spoof_checker.cc
[modify] https://crrev.com/d52b8375cfe5b56194d3df09c18e7b64e5838369/components/url_formatter/top_domains/test_domains.list
[modify] https://crrev.com/d52b8375cfe5b56194d3df09c18e7b64e5838369/components/url_formatter/top_domains/test_skeletons.gperf
[modify] https://crrev.com/d52b8375cfe5b56194d3df09c18e7b64e5838369/components/url_formatter/url_formatter_unittest.cc

Comment 8 by js...@chromium.org, Feb 22 2018

Status: Fixed (was: Started)

Comment 9 by sheriffbot@chromium.org, Feb 24 2018

Project Member
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify

Comment 10 by awhalley@google.com, Feb 26 2018

Labels: reward-topanel

Comment 11 by awhalley@chromium.org, Mar 6 2018

Labels: -M-65 M-66

Comment 12 by awhalley@chromium.org, Mar 6 2018

Labels: -reward-topanel reward-unpaid reward-500
*** Boilerplate reminders! ***
Please do NOT publicly disclose details until a fix has been released to all our users. Early public disclosure may cancel the provisional reward. Also, please be considerate about disclosure when the bug affects a core library that may be used by other products. Please do NOT share this information with third parties who are not directly involved in fixing the bug. Doing so may cancel the provisional reward. Please be honest if you have already disclosed anything publicly or to third parties. Lastly, we understand that some of you are not interested in money. We offer the option to donate your reward to an eligible charity. If you prefer this option, let us know and we will also match your donation - subject to our discretion. Any rewards that are unclaimed after 12 months will be donated to a charity of our choosing.
*********************************

Comment 13 by awhalley@google.com, Mar 7 2018

Thanks! $500 for this.

Comment 14 by awhalley@chromium.org, Mar 7 2018

Labels: -reward-unpaid reward-inprocess

Comment 15 by sheriffbot@chromium.org, Mar 16 2018

Project Member
Labels: Merge-Request-66

Comment 16 by sheriffbot@chromium.org, Mar 16 2018

Project Member
Labels: -Merge-Request-66 Merge-Review-66 Hotlist-Merge-Review
This bug requires manual review: Less than 28 days to go before AppStore submit on M66
Please contact the milestone owner if you have questions.
Owners: cmasso@(Android), cmasso@(iOS), josafat@(ChromeOS), abdulsyed@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 17 by cmasso@google.com, Mar 19 2018

Please verify the fix in the latest canary

Comment 18 by chromium...@gmail.com, Mar 19 2018

verified on canary 67.0.3375.0,  https://шӊатѕарр.comis is shown in punycode as expected.
Screen Shot 2018-03-19 at 17.01.08.png
33.8 KB View Download

Comment 19 by cmasso@google.com, Mar 19 2018

Labels: -Hotlist-Merge-Review -Merge-Review-66 Merge-Approved-66

Comment 20 by js...@chromium.org, Mar 20 2018

Status: Verified (was: Fixed)
The CL for this bug was landed on Feb 21 (a week before 66 branch). See comment 7.

Comment 21 by abdulsyed@google.com, Mar 20 2018

Labels: -Merge-Approved-66

Comment 22 by awhalley@google.com, Apr 17 2018

Labels: Release-0-M66

Comment 23 by awhalley@chromium.org, Apr 25 2018

Labels: CVE-2018-6102

Comment 24 by awhalley@chromium.org, Apr 25 2018

Labels: CVE_description-missing

Comment 25 by sheriffbot@chromium.org, Jun 1 2018

Project Member
Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 26 by mea...@chromium.org, Oct 19

Labels: idn-spoof

Comment 27 by awhalley@chromium.org, Dec 4

Labels: -CVE_description-missing CVE_description-submitted

Sign in to add a comment