New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 836885 link

Starred by 1 user

Issue metadata

Status: Verified
Owner:
Closed: May 2018
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Android , Windows , iOS , Chrome , Mac , Fuchsia
Pri: 1
Type: Bug-Security
Team-Security-UX



Sign in to add a comment

Security: IDN URL Spoofing with “ҙ” (U+0499)

Reported by chromium...@gmail.com, Apr 25 2018

Issue description

Chrome Version: 68.0.3406.0 (Official Build) canary (64-bit)
Operating System: macOS

REPRODUCTION CASE

- From  issue 820068  

https://xn--m1acaj3he48b8nnw.com >> https://ԝҙѕснооӏѕ.com

Note: I believe this is the last character should be blocked in Chrome (Thanks to Jungshik Shin).
 
Screen Shot 2018-04-25 at 19.05.58.png
28.1 KB View Download
Cc: mgiuca@chromium.org
Components: UI>Security>UrlFormatting UI>Internationalization
Labels: Security_Severity-Medium Security_Impact-Stable FoundIn-68 OS-Android OS-Chrome OS-Fuchsia OS-iOS OS-Linux OS-Mac OS-Windows Pri-1
Owner: js...@chromium.org
Status: Assigned (was: Unconfirmed)
PTAL?
Project Member

Comment 2 by sheriffbot@chromium.org, Apr 26 2018

Labels: M-66

Comment 3 by js...@chromium.org, Apr 30 2018

Cc: markda...@google.com bstell@google.com sffc@google.com
Ok. let's add it, too.   

Comment 4 by js...@chromium.org, May 14 2018

Status: Started (was: Assigned)
https://chromium-review.googlesource.com/c/chromium/src/+/1055894

Comment 5 by js...@chromium.org, May 14 2018

Labels: -M-66 M-67

Comment 6 by sffc@google.com, May 14 2018

Should we have a strategy for regularly migrating these extra confusability mappings to Unicode confusables.txt?
Project Member

Comment 7 by bugdroid1@chromium.org, May 16 2018

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/f8bc31acf099873ebc623e92908477f2e99c17f6

commit f8bc31acf099873ebc623e92908477f2e99c17f6
Author: Jungshik Shin <jshin@chromium.org>
Date: Wed May 16 02:11:14 2018

Add a few more confusability mapping entries

U+0153(œ) => ce
U+00E6(æ), U+04D5 (ӕ) => ae
U+0499(ҙ) => 3
U+0525(ԥ) => n

Bug:  835554 ,  826019 ,  836885 
Test: components_unittests --gtest_filter=*IDN*
Change-Id: Ic89211f70359d3d67cc25c1805b426b72cdb16ae
Reviewed-on: https://chromium-review.googlesource.com/1055894
Commit-Queue: Jungshik Shin <jshin@chromium.org>
Reviewed-by: Peter Kasting <pkasting@chromium.org>
Cr-Commit-Position: refs/heads/master@{#558928}
[modify] https://crrev.com/f8bc31acf099873ebc623e92908477f2e99c17f6/components/url_formatter/idn_spoof_checker.cc
[modify] https://crrev.com/f8bc31acf099873ebc623e92908477f2e99c17f6/components/url_formatter/top_domains/test_domains.list
[modify] https://crrev.com/f8bc31acf099873ebc623e92908477f2e99c17f6/components/url_formatter/top_domains/test_skeletons.gperf
[modify] https://crrev.com/f8bc31acf099873ebc623e92908477f2e99c17f6/components/url_formatter/url_formatter_unittest.cc

Verified on 68.0.3433.0. Fixed.
Screen Shot 2018-05-16 at 18.20.03.png
35.9 KB View Download

Comment 9 by js...@chromium.org, May 17 2018

Status: Verified (was: Started)
Will bake in canary and ask for merge to 67 branch. 
Project Member

Comment 10 by sheriffbot@chromium.org, May 18 2018

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Labels: reward-topanel
Labels: -M-67 M-68
Labels: -reward-topanel reward-0
I'm afraid the VRP panel declined to reward for this one, too.
Project Member

Comment 14 by sheriffbot@chromium.org, Jun 8

Labels: Merge-Request-68
Project Member

Comment 15 by sheriffbot@chromium.org, Jun 8

Labels: -Merge-Request-68 Hotlist-Merge-Review Merge-Review-68
This bug requires manual review: M68 has already been promoted to the beta branch, so this requires manual review
Please contact the milestone owner if you have questions.
Owners: cmasso@(Android), kariahda@(iOS), bhthompson@(ChromeOS), abdulsyed@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: -Merge-Review-68 Merge-Rejected-68
Merge Rejected - should be already in 3440 branch. 
Labels: Release-0-M68
Project Member

Comment 18 by sheriffbot@chromium.org, Aug 24

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: CVE-2018-6173 CVE_description-missing
Labels: idn-spoof

Sign in to add a comment