New issue
Advanced search Search tips

Issue 849398 link

Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Closed: Jun 12
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Android , Windows , Chrome , Mac , Fuchsia
Pri: 1
Type: Bug-Security



Sign in to add a comment

Security: IDN URL Spoofing with Georgian Letter Vin

Reported by chromium...@gmail.com, Jun 4

Issue description

VERSION
Chrome Version: Version 69.0.3449.0 (Official Build) canary (64-bit)
Operating System: Mac

REPRODUCTION CASE
-(U+10D5) "ვ" looks like an "3" and it's not easy to catch the spoofing.

Real domain: http://www.163.com/

Spoof domain: http://xn--16-pik.com/
 
Cc: mgiuca@chromium.org
Components: UI>Browser>Omnibox UI>Security>UrlFormatting
Labels: Security_Severity-Medium Security_Impact-Stable
Status: Available (was: Unconfirmed)
Project Member

Comment 2 by sheriffbot@chromium.org, Jun 5

Labels: Target-67 M-67
Project Member

Comment 3 by sheriffbot@chromium.org, Jun 5

Labels: Pri-1
Labels: Team-Security-UX OS-Android OS-Chrome OS-Fuchsia OS-Linux OS-Mac OS-Windows
Cc: mea...@chromium.org jdonnelly@chromium.org
Since jshin is gone, can somebody else pick this one up?
I forget but don't we have some system for dealing with this problem generally? Like a blacklist of character points that we don't render? If not, what's the right action here?
Owner: mea...@chromium.org
Status: Assigned (was: Available)
There is an additional look-alike character mapping that we use to determine to fall back to punycode: https://cs.chromium.org/chromium/src/components/url_formatter/idn_spoof_checker.cc?rcl=ab8ee841dc483441eac21b5fff2e7d092b05e2a7&l=157

I'll add this character to the list.
Status: Started (was: Assigned)
Project Member

Comment 9 by bugdroid1@chromium.org, Jun 8

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/d616695bd68610e75b90d734d72d42534bf01b82

commit d616695bd68610e75b90d734d72d42534bf01b82
Author: Mustafa Emre Acer <meacer@chromium.org>
Date: Fri Jun 08 19:19:41 2018

Add confusability mapping entries for Myanmar and Georgian

U+10D5 (ვ), U+1012 (ဒ) => 3

Bug:  847242 ,  849398 
Test: components_unittests --gtest_filter=*IDN*
Change-Id: I9abb8560cf1c9e8e5e8d89980780b89461f7be52
Reviewed-on: https://chromium-review.googlesource.com/1091430
Reviewed-by: Peter Kasting <pkasting@chromium.org>
Commit-Queue: Mustafa Emre Acer <meacer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#565709}
[modify] https://crrev.com/d616695bd68610e75b90d734d72d42534bf01b82/components/url_formatter/idn_spoof_checker.cc
[modify] https://crrev.com/d616695bd68610e75b90d734d72d42534bf01b82/components/url_formatter/url_formatter_unittest.cc

Fixed?
Verified today in M69.0.3456.0, http://16ვ.com is shown in punycode, so, it's fixed.
Screen Shot 2018-06-11 at 20.32.58.png
26.8 KB View Download
Status: Fixed (was: Started)
The same thing in issue  issue 847242 . Fixed.
Project Member

Comment 14 by sheriffbot@chromium.org, Jun 12

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Labels: reward-topanel
Project Member

Comment 16 by sheriffbot@chromium.org, Jun 19

Labels: Merge-Request-68
Project Member

Comment 17 by sheriffbot@chromium.org, Jun 19

Labels: -Merge-Request-68 Hotlist-Merge-Review Merge-Review-68
This bug requires manual review: M68 has already been promoted to the beta branch, so this requires manual review
Please contact the milestone owner if you have questions.
Owners: cmasso@(Android), kariahda@(iOS), bhthompson@(ChromeOS), abdulsyed@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: -Merge-Review-68 Merge-Approved-68
Approving this merge for M68. Branch:3440
Project Member

Comment 19 by bugdroid1@chromium.org, Jun 20

Labels: -merge-approved-68 merge-merged-3440
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/93c0d219306d70faf545afd6baf3e6f389c76f55

commit 93c0d219306d70faf545afd6baf3e6f389c76f55
Author: Mustafa Emre Acer <meacer@chromium.org>
Date: Wed Jun 20 17:45:43 2018

Add confusability mapping entries for Myanmar and Georgian

U+10D5 (ვ), U+1012 (ဒ) => 3

TBR=meacer@chromium.org

(cherry picked from commit d616695bd68610e75b90d734d72d42534bf01b82)

Bug:  847242 ,  849398 
Test: components_unittests --gtest_filter=*IDN*
Change-Id: I9abb8560cf1c9e8e5e8d89980780b89461f7be52
Reviewed-on: https://chromium-review.googlesource.com/1091430
Reviewed-by: Peter Kasting <pkasting@chromium.org>
Commit-Queue: Mustafa Emre Acer <meacer@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#565709}
Reviewed-on: https://chromium-review.googlesource.com/1108380
Reviewed-by: Mustafa Emre Acer <meacer@chromium.org>
Cr-Commit-Position: refs/branch-heads/3440@{#464}
Cr-Branched-From: 010ddcfda246975d194964ccf20038ebbdec6084-refs/heads/master@{#561733}
[modify] https://crrev.com/93c0d219306d70faf545afd6baf3e6f389c76f55/components/url_formatter/idn_spoof_checker.cc
[modify] https://crrev.com/93c0d219306d70faf545afd6baf3e6f389c76f55/components/url_formatter/url_formatter_unittest.cc

Labels: -reward-topanel reward-unpaid reward-500
*** Boilerplate reminders! ***
Please do NOT publicly disclose details until a fix has been released to all our users. Early public disclosure may cancel the provisional reward. Also, please be considerate about disclosure when the bug affects a core library that may be used by other products. Please do NOT share this information with third parties who are not directly involved in fixing the bug. Doing so may cancel the provisional reward. Please be honest if you have already disclosed anything publicly or to third parties. Lastly, we understand that some of you are not interested in money. We offer the option to donate your reward to an eligible charity. If you prefer this option, let us know and we will also match your donation - subject to our discretion. Any rewards that are unclaimed after 12 months will be donated to a charity of our choosing.
*********************************
But $500 for this one :-)
Labels: -reward-unpaid reward-inprocess
Labels: Release-0-M68
Labels: CVE-2018-6163 CVE_description-missing
Project Member

Comment 25 by sheriffbot@chromium.org, Sep 18

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: idn-spoof

Sign in to add a comment