New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 2 users

Issue metadata

Status: Fixed
Owner:
Closed: Mar 16
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Mac
Pri: 1
Type: Bug-Security
Team-Security-UX



Sign in to add a comment

Security: IDN URL Spoofing with U+04FD, U+050F, U+050B

Reported by chromium...@gmail.com, Feb 27 2018

Issue description

VERSION
Chrome Version: 66.0.3355.0 (Official Build) canary (64-bit)
Operating System: Mac

This "ӻ" looks more like an "F" on macOS, unlike on other devices (I'd not regard this as a spoofing risk on Windows or Linux).

- Load http://xn--80akppap2f26e.com (ӻасеьоок.com)
 
Screen Shot 2018-02-27 at 03.04.01.png
26.8 KB View Download
Cc: js...@chromium.org mgiuca@chromium.org
Components: UI>Security>UrlFormatting UI>Internationalization
Labels: FoundIn-66 FoundIn-65 Security_Impact-Stable OS-Mac
Status: Untriaged (was: Unconfirmed)

Comment 3 by kenrb@chromium.org, Feb 28 2018

Cc: -js...@chromium.org kenrb@chromium.org
Labels: Security_Severity-Medium OS-Linux Pri-1
Owner: js...@chromium.org
Status: Assigned (was: Untriaged)
Similar to  issue 817247 .
Project Member

Comment 4 by sheriffbot@chromium.org, Mar 1

Labels: M-65
Cc: markda...@google.com sffc@google.com bstell@google.com
See  bug 817247  comment 7. We can generate multiple skeletons for an incoming domain names (platform/font dependent skeletons) and compare against the top domain skeletons. 

Oh... U+04FB (ӻ) is not mapped to anything, yet. So, this is different from  bug 817247 .  We can make an error on the side of being overly defensive and add "ӻ -> f' map entry.  


Comment 8 Deleted

+ There is another letter should be mapped, U+050F (ԏ) which is also looks like "t" on Windows (https://шнаԏѕарр.com).

Screen Shot 2018-03-13 at 04.46.22.png
16.8 KB View Download
Summary: Security: IDN URL Spoofing with U+04FD, U+050F, U+050B (was: Security: IDN URL Spoofing on macOS)
Thanks. U+050B (ԋ) can be problematic as well. 
Project Member

Comment 11 by bugdroid1@chromium.org, Mar 16

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/de9acc5cb3527da9173f01973d849bd47f91a9fd

commit de9acc5cb3527da9173f01973d849bd47f91a9fd
Author: Jungshik Shin <jshin@chromium.org>
Date: Fri Mar 16 02:25:57 2018

Add more to confusables list

U+04FB (ӻ) to f
U+050F (ԏ) to t
U+050B (ԋ) and U+0527 (ԧ) to h
U+0437(з) and U+04E1(ӡ) to 3

Add tests for the above entries and tests for ASCII-digit spoofing.

Bug:  816769 , 820068 
Test: components_unittests --gtest_filter=*IDN*
Change-Id: I6cd0a7e97cd0ec2df522ce30f632acfd7b78eee2
Reviewed-on: https://chromium-review.googlesource.com/962875
Reviewed-by: Peter Kasting <pkasting@chromium.org>
Commit-Queue: Peter Kasting <pkasting@chromium.org>
Cr-Commit-Position: refs/heads/master@{#543600}
[modify] https://crrev.com/de9acc5cb3527da9173f01973d849bd47f91a9fd/components/url_formatter/idn_spoof_checker.cc
[modify] https://crrev.com/de9acc5cb3527da9173f01973d849bd47f91a9fd/components/url_formatter/top_domains/test_domains.list
[modify] https://crrev.com/de9acc5cb3527da9173f01973d849bd47f91a9fd/components/url_formatter/top_domains/test_skeletons.gperf
[modify] https://crrev.com/de9acc5cb3527da9173f01973d849bd47f91a9fd/components/url_formatter/url_formatter_unittest.cc

Status: Fixed (was: Assigned)
Project Member

Comment 13 by sheriffbot@chromium.org, Mar 17

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Labels: reward-topanel
Project Member

Comment 15 by sheriffbot@chromium.org, Mar 20

Labels: Merge-Request-66
Project Member

Comment 16 by sheriffbot@chromium.org, Mar 20

Labels: -Merge-Request-66 Merge-Review-66 Hotlist-Merge-Review
This bug requires manual review: M66 has already been promoted to the beta branch, so this requires manual review
Please contact the milestone owner if you have questions.
Owners: cmasso@(Android), cmasso@(iOS), josafat@(ChromeOS), abdulsyed@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: -Merge-Review-66 Merge-Approved-66
Approving merge for M66. Branch:3359
Project Member

Comment 18 by bugdroid1@chromium.org, Mar 20

Labels: -merge-approved-66 merge-merged-3359
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/a0909838fdd22cf3de12f2e6f896ac14d82257d0

commit a0909838fdd22cf3de12f2e6f896ac14d82257d0
Author: Jungshik Shin <jshin@chromium.org>
Date: Tue Mar 20 20:50:45 2018

[M66 branch] Add more to confusables list

U+04FB (ӻ) to f
U+050F (ԏ) to t
U+050B (ԋ) and U+0527 (ԧ) to h
U+0437(з) and U+04E1(ӡ) to 3

Add tests for the above entries and tests for ASCII-digit spoofing.

Bug:  816769 , 820068 
Test: components_unittests --gtest_filter=*IDN*
Change-Id: I6cd0a7e97cd0ec2df522ce30f632acfd7b78eee2
Reviewed-on: https://chromium-review.googlesource.com/962875
Reviewed-by: Peter Kasting <pkasting@chromium.org>
Commit-Queue: Peter Kasting <pkasting@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#543600}(cherry picked from commit de9acc5cb3527da9173f01973d849bd47f91a9fd)
Reviewed-on: https://chromium-review.googlesource.com/971769
Reviewed-by: Jungshik Shin <jshin@chromium.org>
Cr-Commit-Position: refs/branch-heads/3359@{#355}
Cr-Branched-From: 66afc5e5d10127546cc4b98b9117aff588b5e66b-refs/heads/master@{#540276}
[modify] https://crrev.com/a0909838fdd22cf3de12f2e6f896ac14d82257d0/components/url_formatter/idn_spoof_checker.cc
[modify] https://crrev.com/a0909838fdd22cf3de12f2e6f896ac14d82257d0/components/url_formatter/top_domains/test_domains.list
[modify] https://crrev.com/a0909838fdd22cf3de12f2e6f896ac14d82257d0/components/url_formatter/top_domains/test_skeletons.gperf
[modify] https://crrev.com/a0909838fdd22cf3de12f2e6f896ac14d82257d0/components/url_formatter/url_formatter_unittest.cc

Labels: -M-65
Given the way other related IDN spoofing bugs were triaged, I'm dropping M65. 

bug 813925,  bug 813814 
 bug 811117 ,  bug 808316 
 bug 803571 
Labels: -reward-topanel M-66 reward-0
I'm afraid the VRP panel declined to reward for this one.
Labels: Release-0-M66
Labels: CVE-2018-6108
Labels: CVE_description-missing
Project Member

Comment 24 by sheriffbot@chromium.org, Jun 23

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment