New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 817247 link

Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Closed: Apr 17
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Mac
Pri: 1
Type: Bug-Security
Team-Security-UX



Sign in to add a comment

Security: IDN URL Spoofing with using U+04CF

Reported by chromium...@gmail.com, Feb 28 2018

Issue description

Chrome Version: 66.0.3356.0 (Official Build) canary (64-bit)
Operating System: Mac

- U+04CF (ӏ) looks like an "I" 

http://xn--80aai1bls6k55bcq.com/ (ӏпѕтаԍгам.com)
http://xn--80ajo90d.com/ (ӏкеа.com)

It's not easy to catch the spoofing 

Note on Windows: the URLs are blocked.
 
Cc: js...@chromium.org mgiuca@chromium.org
Components: UI>Security>UrlFormatting UI>Internationalization
Labels: FoundIn-66 Security_Impact-Stable FoundIn-65 OS-Mac
Status: Untriaged (was: Unconfirmed)
Can you explain what you mean by "the URLs are blocked"?
spoof.png
21.9 KB View Download
E.g http://xn--istagram-irb.com is shown in punycode instead of ӏпѕтаԍгам.com (only on Windows).
Screen Shot on Windows 7.png
15.2 KB View Download

Comment 3 by kenrb@chromium.org, Feb 28 2018

Cc: -js...@chromium.org kenrb@chromium.org
Labels: Security_Severity-Medium OS-Linux Pri-1
Owner: js...@chromium.org
Status: Assigned (was: Untriaged)
jshin@: Can you have a look at these? These are imperfect homographs, but they still resemble the characters they are spoofing. What is the current expectation on strings like this?

Comment 4 by js...@chromium.org, Mar 1 2018

U+04CF on Mac OS/Linux is mapped to lowercase L while on Windows it's mapped to lowercase I.  

Depending on fonts, U+04CF looks different. There's no easy way to handle both cases. 

Project Member

Comment 5 by sheriffbot@chromium.org, Mar 1 2018

Labels: M-65

Comment 6 by js...@chromium.org, Mar 1 2018

Cc: markda...@google.com bstell@google.com sffc@google.com

Comment 7 by js...@chromium.org, Mar 2 2018

One possibility is that we generate multiple skeletons to cover font/pltform differences and compare them to the skeletons of top domains we have. 



Comment 8 by js...@chromium.org, Mar 14 2018

[\u0131\u0269\u026A\u03B9\u0456\u04CF\u13A5\uA647\U000118C3] & [:IdentifierStatus=Allowed:]
=>


 ı 	U+0131	LATIN SMALL LETTER DOTLESS I
 ι 	U+03B9	GREEK SMALL LETTER IOTA
 і 	U+0456	CYRILLIC SMALL LETTER BYELORUSSIAN-UKRAINIAN I
 ӏ 	U+04CF	CYRILLIC SMALL LETTER PALOCHKA

Three more characters that may need a similar treatment. 

They're currently folded to 'i'.  In addition to that, we can map them to 'l' (lowercase L) for the 2nd check and calculate the skeleton.  Then, it'd match 'digit 1' as well because digit 1's skeleton is lowercase L. (see  bug 820068 )


Comment 9 by js...@chromium.org, Mar 14 2018

Summary: Security: IDN URL Spoofing with using U+04CF and similar characters (was: Security: IDN URL Spoofing with using U+04CF)
Project Member

Comment 11 by sheriffbot@chromium.org, Apr 6

jshin: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Summary: Security: IDN URL Spoofing with using U+04CF (was: Security: IDN URL Spoofing with using U+04CF and similar characters)
I revised  the CL (comment 22) to handle only U+04CF.  We need to come up with another way to handle them (mapping 'i' to 'l' is one possibility, but it can affect too many domains). 

I'll file a new bug on them. 

Status: Started (was: Assigned)
Project Member

Comment 14 by bugdroid1@chromium.org, Apr 17

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/f9b56bc54fdff5981dba39a707489c3ca9980fac

commit f9b56bc54fdff5981dba39a707489c3ca9980fac
Author: Jungshik Shin <jshin@chromium.org>
Date: Tue Apr 17 06:15:05 2018

Map U+04CF to lowercase L as well.

U+04CF (ӏ) has the confusability skeleton of 'i' (lowercase
I), but it can be confused for 'l' (lowercase L) or '1' (digit) if rendered
in some fonts.

If a host name contains it, calculate the confusability skeleton
twice, once with the default mapping to 'i' (lowercase I) and the 2nd
time with an alternative mapping to 'l'. Mapping them to 'l' (lowercase L)
also gets it treated as similar to digit 1 because the confusability
skeleton of digit 1 is 'l'.

Bug:  817247 
Test: components_unittests --gtest_filter=*IDN*
Change-Id: I7442b950c9457eea285e17f01d1f43c9acc5d79c
Reviewed-on: https://chromium-review.googlesource.com/974165
Commit-Queue: Jungshik Shin <jshin@chromium.org>
Reviewed-by: Peter Kasting <pkasting@chromium.org>
Reviewed-by: Eric Lawrence <elawrence@chromium.org>
Cr-Commit-Position: refs/heads/master@{#551263}
[modify] https://crrev.com/f9b56bc54fdff5981dba39a707489c3ca9980fac/components/url_formatter/idn_spoof_checker.cc
[modify] https://crrev.com/f9b56bc54fdff5981dba39a707489c3ca9980fac/components/url_formatter/top_domains/test_domains.list
[modify] https://crrev.com/f9b56bc54fdff5981dba39a707489c3ca9980fac/components/url_formatter/top_domains/test_skeletons.gperf
[modify] https://crrev.com/f9b56bc54fdff5981dba39a707489c3ca9980fac/components/url_formatter/url_formatter_unittest.cc

Status: Fixed (was: Started)
Will ask for merge to M67 after a canary is out. 

Project Member

Comment 16 by sheriffbot@chromium.org, Apr 18

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Labels: reward-topanel
Labels: -M-65 Merge-Request-67 M-66 M-67
Project Member

Comment 19 by sheriffbot@chromium.org, Apr 25

Labels: -Merge-Request-67 Merge-Approved-67 Hotlist-Merge-Approved
Your change meets the bar and is auto-approved for M67. Please go ahead and merge the CL to branch 3396 manually. Please contact milestone owner if you have questions.
Owners: cmasso@(Android), cmasso@(iOS), kbleicher@(ChromeOS), govind@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 20 by bugdroid1@chromium.org, Apr 25

Labels: -merge-approved-67 merge-merged-3396
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/507d6f67c07f8e0e0bf9d80fe21f38f9903c63e2

commit 507d6f67c07f8e0e0bf9d80fe21f38f9903c63e2
Author: Jungshik Shin <jshin@chromium.org>
Date: Wed Apr 25 21:25:43 2018

[Merge M67] Map U+04CF to lowercase L as well.

U+04CF (ӏ) has the confusability skeleton of 'i' (lowercase
I), but it can be confused for 'l' (lowercase L) or '1' (digit) if rendered
in some fonts.

If a host name contains it, calculate the confusability skeleton
twice, once with the default mapping to 'i' (lowercase I) and the 2nd
time with an alternative mapping to 'l'. Mapping them to 'l' (lowercase L)
also gets it treated as similar to digit 1 because the confusability
skeleton of digit 1 is 'l'.

TBR=govind@chromium.org

Bug:  817247 
Test: components_unittests --gtest_filter=*IDN*
Change-Id: I7442b950c9457eea285e17f01d1f43c9acc5d79c
Reviewed-on: https://chromium-review.googlesource.com/974165
Commit-Queue: Jungshik Shin <jshin@chromium.org>
Reviewed-by: Peter Kasting <pkasting@chromium.org>
Reviewed-by: Eric Lawrence <elawrence@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#551263}(cherry picked from commit f9b56bc54fdff5981dba39a707489c3ca9980fac)
Reviewed-on: https://chromium-review.googlesource.com/1028339
Reviewed-by: Jungshik Shin <jshin@chromium.org>
Cr-Commit-Position: refs/branch-heads/3396@{#309}
Cr-Branched-From: 9ef2aa869bc7bc0c089e255d698cca6e47d6b038-refs/heads/master@{#550428}
[modify] https://crrev.com/507d6f67c07f8e0e0bf9d80fe21f38f9903c63e2/components/url_formatter/idn_spoof_checker.cc
[modify] https://crrev.com/507d6f67c07f8e0e0bf9d80fe21f38f9903c63e2/components/url_formatter/top_domains/test_domains.list
[modify] https://crrev.com/507d6f67c07f8e0e0bf9d80fe21f38f9903c63e2/components/url_formatter/top_domains/test_skeletons.gperf
[modify] https://crrev.com/507d6f67c07f8e0e0bf9d80fe21f38f9903c63e2/components/url_formatter/url_formatter_unittest.cc

Labels: -reward-topanel reward-unpaid reward-500
*** Boilerplate reminders! ***
Please do NOT publicly disclose details until a fix has been released to all our users. Early public disclosure may cancel the provisional reward. Also, please be considerate about disclosure when the bug affects a core library that may be used by other products. Please do NOT share this information with third parties who are not directly involved in fixing the bug. Doing so may cancel the provisional reward. Please be honest if you have already disclosed anything publicly or to third parties. Lastly, we understand that some of you are not interested in money. We offer the option to donate your reward to an eligible charity. If you prefer this option, let us know and we will also match your donation - subject to our discretion. Any rewards that are unclaimed after 12 months will be donated to a charity of our choosing.
*********************************
$500 for this one :-)
Labels: -reward-unpaid reward-inprocess
Filed bug 843352 about comment 12
Labels: -M-66
Labels: Release-0-M67
Labels: CVE-2018-6133 CVE_description-missing
Project Member

Comment 28 by sheriffbot@chromium.org, Jul 25

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment