New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 835554 link

Starred by 1 user

Issue metadata

Status: Fixed
Closed: May 2018
EstimatedDays: ----
NextAction: ----
OS: Mac
Pri: 1
Type: Bug-Security

Sign in to add a comment

U+0153 (œ), U+00e6 (æ) may lead to url spoofing

Reported by, Apr 21 2018

Issue description

UserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.117 Safari/537.36

Steps to reproduce the problem:
this domain looks like in address bar, and it's already alive

What is the expected behavior?

What went wrong?
As it's a different case  from the original issue, I create a new issue about it.
U+0152 (œ) looks like `ce` in address bar, and it's original character are `oe` so it will not be blocked and can spoof lots of domains in top domain list, for example,

Did this work before? N/A 

Chrome version: 66.0.3359.117  Channel: stable
OS Version: OS X 10.13.4
Flash Version: Shockwave Flash 29.0 r0
13.0 KB View Download

Comment 1 by, Apr 22 2018

Status: Assigned (was: Unconfirmed)

Comment 2 by, Apr 22 2018

Components: UI>Browser>Omnibox UI>Internationalization
Labels: M-66 Security_Severity-Medium Security_Impact-Stable
Project Member

Comment 3 by, Apr 23 2018

Labels: -Pri-2 Pri-1

Comment 4 by, Apr 24 2018

Well, we can be aggressive, but this seems to be a bit too stretchy. We do have a lot of not-so-likely entries in our supplementary table to be on the safe side. So, I'm not saying this should not be in. 

Comment 5 Deleted

Project Member

Comment 6 by, May 9 2018

jshin: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit - Your friendly Sheriffbot

Comment 7 by, May 10 2018

Labels: -M-66 M-67
Definitely not for M66. Maybe, M-67. 

Comment 8 by, May 11 2018

Need to look for similar cases in the set at . 

Comment 9 by, May 11 2018

U+00E6 æ => a e
U+04D5 ӕ => a e

Borderline list: 

U+044E ю => i o  ? 
U+044B ы =>  b i or b l 

The above characters + diacritics will be handled automatically because diacritic removal is done earlier. 

Comment 10 by, May 11 2018

Summary: U+0153 (œ), U+00e6 (æ) may lead to url spoofing (was: U+0152 (œ) may lead to url spoofing)

Comment 11 by, May 14 2018

Status: Started (was: Assigned)
Project Member

Comment 12 by, May 16 2018

The following revision refers to this bug:

commit f8bc31acf099873ebc623e92908477f2e99c17f6
Author: Jungshik Shin <>
Date: Wed May 16 02:11:14 2018

Add a few more confusability mapping entries

U+0153(œ) => ce
U+00E6(æ), U+04D5 (ӕ) => ae
U+0499(ҙ) => 3
U+0525(ԥ) => n

Bug:  835554 ,  826019 ,  836885 
Test: components_unittests --gtest_filter=*IDN*
Change-Id: Ic89211f70359d3d67cc25c1805b426b72cdb16ae
Commit-Queue: Jungshik Shin <>
Reviewed-by: Peter Kasting <>
Cr-Commit-Position: refs/heads/master@{#558928}

Comment 13 by, May 17 2018

Status: Fixed (was: Started)
follow-up bug: 

Comment 14 by, May 17 2018

Components: UI>Security>UrlFormatting
Project Member

Comment 15 by, May 18 2018

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Labels: reward-topanel
Labels: -M-67 M-68
Labels: -reward-topanel reward-unpaid reward-500
*** Boilerplate reminders! ***
Please do NOT publicly disclose details until a fix has been released to all our users. Early public disclosure may cancel the provisional reward. Also, please be considerate about disclosure when the bug affects a core library that may be used by other products. Please do NOT share this information with third parties who are not directly involved in fixing the bug. Doing so may cancel the provisional reward. Please be honest if you have already disclosed anything publicly or to third parties. Lastly, we understand that some of you are not interested in money. We offer the option to donate your reward to an eligible charity. If you prefer this option, let us know and we will also match your donation - subject to our discretion. Any rewards that are unclaimed after 12 months will be donated to a charity of our choosing.
Thanks zxyrzg02@, $500 for this report.
Labels: -reward-unpaid reward-inprocess
Project Member

Comment 21 by, Jun 8

Labels: Merge-Request-68
Project Member

Comment 22 by, Jun 8

Labels: -Merge-Request-68 Hotlist-Merge-Review Merge-Review-68
This bug requires manual review: M68 has already been promoted to the beta branch, so this requires manual review
Please contact the milestone owner if you have questions.
Owners: cmasso@(Android), kariahda@(iOS), bhthompson@(ChromeOS), abdulsyed@(Desktop)

For more details visit - Your friendly Sheriffbot
Labels: -Merge-Review-68
No merge needed
Labels: Release-0-M68
Project Member

Comment 25 by, Aug 24

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit - Your friendly Sheriffbot
Labels: CVE-2018-6166 CVE_description-missing
Labels: idn-spoof

Sign in to add a comment