New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 2 users

Issue metadata

Status: Fixed
Owner:
Closed: Mar 2018
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Android , Windows , iOS , Chrome , Mac , Fuchsia
Pri: 1
Type: Bug-Security
Team-Security-UX



Sign in to add a comment
link

Issue 820068: Security: IDN URL Spoofing with using "U+0437" (cyrillic small letter Ze)

Reported by chromium...@gmail.com, Mar 8 2018

Issue description

VERSION
Chrome Version: 67.0.3364.0 (Official Build) canary (64-bit)
Operating System: All

REPRODUCTION CASE

http://xn--g1amdam3je98g4t.com is shown https://ԝзѕснооӏѕ.com

Note: "w3schools.com" is  a top-10K site.
 
Screen Shot 2018-03-08 at 14.45.02.png
28.4 KB View Download

Comment 1 by elawrence@chromium.org, Mar 9 2018

Cc: js...@chromium.org mgiuca@chromium.org
Components: UI>Security>UrlFormatting UI>Internationalization
Labels: FoundIn-67

Comment 2 by mbarbe...@chromium.org, Mar 9 2018

Cc: -js...@chromium.org
Labels: Security_Impact-Stable Security_Severity-Low
Owner: js...@chromium.org
Status: Assigned (was: Unconfirmed)

Comment 3 by chromium...@gmail.com, Mar 9 2018

It should be labeled as a ‘sev-medium’ like  issue 813814  and others.

Comment 4 by mbarbe...@chromium.org, Mar 9 2018

Labels: -Security_Severity-Low Security_Severity-Medium OS-Android OS-Chrome OS-Fuchsia OS-iOS OS-Linux OS-Mac OS-Windows
We've been pretty inconsistent with the severity for this type of spoof. Medium and Low are both used fairly frequently. Since that bug is fairly recent I'll up this to medium for consistency, but I'll defer to anyone who deals with this type of issue more often if they want to change it again.

Comment 5 by sheriffbot@chromium.org, Mar 10 2018

Project Member
Labels: M-65

Comment 6 by sheriffbot@chromium.org, Mar 11 2018

Project Member
Labels: Pri-1

Comment 7 by chromium...@gmail.com, Mar 13 2018

Another example - http://xn--12-6kc4a0ah.com (hoa123.com is also a top-10K site).

Comment 8 by js...@chromium.org, Mar 13 2018

Thank you for the report. 

Curiously, U+0417 (З) is in the Unicode confusables list, but its lowercase counterpart U+0437 (з) is not.
The same is true of U+04E0 (Ӡ) and U+04E1 (ӡ). 

https://unicode.org/cldr/utility/confusables.jsp?a=%D0%B7%D3%A1&r=None found more:

U+025C (ɜ), U+1D08 (ᴈ)
U+021D(ȝ)	U+0292(ʒ)	U+04E1(ӡ)	U+10F3(ჳ)	
U+2CCD(ⳍ)	U+A76B(ꝫ). 

U+2CCD is Coptic that is not allowed. Others have to added to confusable map.

Comment 9 by js...@chromium.org, Mar 13 2018

Well,  [[\u025c\u1d08\u021d\u0292\u04e1\u10f3\u2ccd\ua76b] & [:IdentifierStatus=Allowed:]]  has only one element, U+04E1.  
( https://goo.gl/p1uKHj )

So, for this bug, U+0437 and U+04E1 have to be mapped to 3. 

'1' (digit 1) will be a can of worms.  ( bug 817247  )

Comment 10 by js...@chromium.org, Mar 13 2018

Cc: markda...@google.com sffc@google.com bstell@google.com
$ egrep '^[0-9]{2,}\.' alexa_domains.list | wc -l
50

$ egrep '[0-9]' alexa_domains.list  | wc -l
663

$ egrep '[0-9]{2,}' alexa_domains.list | wc -l
345

Comment 11 by bugdroid1@chromium.org, Mar 16 2018

Project Member
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/de9acc5cb3527da9173f01973d849bd47f91a9fd

commit de9acc5cb3527da9173f01973d849bd47f91a9fd
Author: Jungshik Shin <jshin@chromium.org>
Date: Fri Mar 16 02:25:57 2018

Add more to confusables list

U+04FB (ӻ) to f
U+050F (ԏ) to t
U+050B (ԋ) and U+0527 (ԧ) to h
U+0437(з) and U+04E1(ӡ) to 3

Add tests for the above entries and tests for ASCII-digit spoofing.

Bug:  816769 , 820068 
Test: components_unittests --gtest_filter=*IDN*
Change-Id: I6cd0a7e97cd0ec2df522ce30f632acfd7b78eee2
Reviewed-on: https://chromium-review.googlesource.com/962875
Reviewed-by: Peter Kasting <pkasting@chromium.org>
Commit-Queue: Peter Kasting <pkasting@chromium.org>
Cr-Commit-Position: refs/heads/master@{#543600}
[modify] https://crrev.com/de9acc5cb3527da9173f01973d849bd47f91a9fd/components/url_formatter/idn_spoof_checker.cc
[modify] https://crrev.com/de9acc5cb3527da9173f01973d849bd47f91a9fd/components/url_formatter/top_domains/test_domains.list
[modify] https://crrev.com/de9acc5cb3527da9173f01973d849bd47f91a9fd/components/url_formatter/top_domains/test_skeletons.gperf
[modify] https://crrev.com/de9acc5cb3527da9173f01973d849bd47f91a9fd/components/url_formatter/url_formatter_unittest.cc

Comment 12 by chromium...@gmail.com, Mar 16 2018

Verified today on 67.0.3373.0, ԝзѕснооӏѕ.com is shown as expected. Thanks Jungshik as ever!

Comment 13 by chromium...@gmail.com, Mar 16 2018

Screen Shot 2018-03-16 at 21.23.28.png
36.9 KB View Download

Comment 14 by js...@chromium.org, Mar 16 2018

Status: Fixed (was: Assigned)
Thank you for verifying the fix and reporting the bug.

Comment 15 by sheriffbot@chromium.org, Mar 17 2018

Project Member
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify

Comment 16 by awhalley@google.com, Mar 19 2018

Labels: reward-topanel

Comment 17 by sheriffbot@chromium.org, Mar 20 2018

Project Member
Labels: Merge-Request-66

Comment 18 by sheriffbot@chromium.org, Mar 20 2018

Project Member
Labels: -Merge-Request-66 Merge-Review-66 Hotlist-Merge-Review
This bug requires manual review: Less than 24 days to go before AppStore submit on M66
Please contact the milestone owner if you have questions.
Owners: cmasso@(Android), cmasso@(iOS), josafat@(ChromeOS), abdulsyed@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 19 by abdulsyed@google.com, Mar 20 2018

Labels: -Merge-Review-66 Merge-Approved-66
Merge approved - branch:3359

Comment 20 by bugdroid1@chromium.org, Mar 20 2018

Project Member
Labels: -merge-approved-66 merge-merged-3359
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/a0909838fdd22cf3de12f2e6f896ac14d82257d0

commit a0909838fdd22cf3de12f2e6f896ac14d82257d0
Author: Jungshik Shin <jshin@chromium.org>
Date: Tue Mar 20 20:50:45 2018

[M66 branch] Add more to confusables list

U+04FB (ӻ) to f
U+050F (ԏ) to t
U+050B (ԋ) and U+0527 (ԧ) to h
U+0437(з) and U+04E1(ӡ) to 3

Add tests for the above entries and tests for ASCII-digit spoofing.

Bug:  816769 , 820068 
Test: components_unittests --gtest_filter=*IDN*
Change-Id: I6cd0a7e97cd0ec2df522ce30f632acfd7b78eee2
Reviewed-on: https://chromium-review.googlesource.com/962875
Reviewed-by: Peter Kasting <pkasting@chromium.org>
Commit-Queue: Peter Kasting <pkasting@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#543600}(cherry picked from commit de9acc5cb3527da9173f01973d849bd47f91a9fd)
Reviewed-on: https://chromium-review.googlesource.com/971769
Reviewed-by: Jungshik Shin <jshin@chromium.org>
Cr-Commit-Position: refs/branch-heads/3359@{#355}
Cr-Branched-From: 66afc5e5d10127546cc4b98b9117aff588b5e66b-refs/heads/master@{#540276}
[modify] https://crrev.com/a0909838fdd22cf3de12f2e6f896ac14d82257d0/components/url_formatter/idn_spoof_checker.cc
[modify] https://crrev.com/a0909838fdd22cf3de12f2e6f896ac14d82257d0/components/url_formatter/top_domains/test_domains.list
[modify] https://crrev.com/a0909838fdd22cf3de12f2e6f896ac14d82257d0/components/url_formatter/top_domains/test_skeletons.gperf
[modify] https://crrev.com/a0909838fdd22cf3de12f2e6f896ac14d82257d0/components/url_formatter/url_formatter_unittest.cc

Comment 21 by awhalley@chromium.org, Mar 26 2018

Labels: -reward-topanel reward-unpaid reward-500
*** Boilerplate reminders! ***
Please do NOT publicly disclose details until a fix has been released to all our users. Early public disclosure may cancel the provisional reward. Also, please be considerate about disclosure when the bug affects a core library that may be used by other products. Please do NOT share this information with third parties who are not directly involved in fixing the bug. Doing so may cancel the provisional reward. Please be honest if you have already disclosed anything publicly or to third parties. Lastly, we understand that some of you are not interested in money. We offer the option to donate your reward to an eligible charity. If you prefer this option, let us know and we will also match your donation - subject to our discretion. Any rewards that are unclaimed after 12 months will be donated to a charity of our choosing.
*********************************

Comment 22 by awhalley@google.com, Mar 26 2018

$500 for this report, thanks!

Comment 23 by awhalley@chromium.org, Mar 26 2018

Labels: -reward-unpaid reward-inprocess

Comment 24 by awhalley@google.com, Apr 17 2018

Labels: Release-0-M66

Comment 25 by awhalley@chromium.org, Apr 25 2018

Labels: CVE-2018-6104

Comment 26 by awhalley@chromium.org, Apr 25 2018

Labels: CVE_description-missing

Comment 27 by sheriffbot@chromium.org, Jun 23 2018

Project Member
Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 28 by mea...@chromium.org, Oct 19

Labels: idn-spoof

Comment 29 by awhalley@chromium.org, Dec 4

Labels: -CVE_description-missing CVE_description-submitted

Sign in to add a comment