New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Closed: Oct 31
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Android , Windows , Chrome , Mac , Fuchsia
Pri: 1
Type: Bug-Security


Show other hotlists

Hotlists containing this issue:
Url-Audit


Sign in to add a comment
link

Issue 849421: Security: IDN URL spoofing - "ଠ" can be used to spoof "o2.co.uk"

Reported by chromium...@gmail.com, Jun 4 2018

Issue description

VERSION
Chrome Version: Version 69.0.3449.0 (Official Build) canary (64-bit)
Operating System: Mac

Also, "ଠ" looks more like an "O".

Real domain: https://www.o2.co.uk (listed in top-100k domain)

Spoof domain: http://xn--2-ppe.co.uk
 
Screen Shot 2018-06-04 at 21.15.34.png
23.9 KB View Download

Comment 1 by mea...@chromium.org, Jun 4 2018

Cc: mgiuca@chromium.org
Components: UI>Browser>Omnibox UI>Security>UrlFormatting
Labels: Security_Severity-Medium Security_Impact-Stable OS-Android OS-Chrome OS-Fuchsia OS-Linux OS-Mac OS-Windows
Status: Available (was: Unconfirmed)

Comment 2 by sheriffbot@chromium.org, Jun 5 2018

Project Member
Labels: Target-67 M-67

Comment 3 by sheriffbot@chromium.org, Jun 5 2018

Project Member
Labels: Pri-1

Comment 4 by palmer@chromium.org, Jun 5 2018

Labels: Team-Security-UX

Comment 5 by palmer@chromium.org, Jun 7 2018

Cc: jdonnelly@chromium.org
Since jshin is gone, can somebody else pick this one up?

Comment 6 by palmer@chromium.org, Jun 7 2018

Cc: mea...@chromium.org

Comment 7 by mea...@chromium.org, Jun 7 2018

Cc: -mea...@chromium.org
Owner: mea...@chromium.org
Status: Assigned (was: Available)
I think the problem here is that ଠ is paired with 2. Since there is no Latin character in the label, Chrome isn't falling back to punycode.

As a very specific patch, we should be able to fix this by adding o2.co.uk to top domains list. I'll do that unless anyone suggests an alternative approach.

Comment 8 by sheriffbot@chromium.org, Jun 21 2018

Project Member
meacer: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 9 by chromium...@gmail.com, Jun 21 2018

Also, there is another character "റ" should be mapped to "O" 

- http://റ2.co.uk
Screen Shot 2018-06-21 at 23.37.32.png
27.0 KB View Download

Comment 10 by jdonnelly@chromium.org, Jun 29 2018

meacer: Did you add o2.co.uk to the top domains list?

Comment 11 by sheriffbot@chromium.org, Jul 6 2018

Project Member
meacer: Uh oh! This issue still open and hasn't been updated in the last 29 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 12 by mea...@chromium.org, Jul 10 2018

o2.co.uk is already in the top domains list so my previous comment is moot.

ICU does the following mappings while extracting skeletons:
- ଠ mapped to O
- o mapped to o
- 0 mapped to o

Based on this, the skeleton of ଠ2.co.uk is extracted as O2.co.uk and the skeleton of o2.co.uk is o2.co.uk (itself). These don't match because the first one starts with the upper case o.

One solution is to test both the original and lowercase skeletons. That would effectively map 0s to o, and would prevent spoofing with zeros (e.g. g00glé.com would be rendered in punycode). Or if we want to be conservative, we could replace upper case "O"s with lower case "o"s in skeletons and test both versions.

Comment 13 by mea...@chromium.org, Jul 10 2018

^ In the above comment "0 mapped to o" should be "0 mapped to O".

The downside of the above approach is that we might fall back to punycode more often than necessary, but we'd be reducing false negatives such as this one.

Comment 14 by sheriffbot@chromium.org, Jul 25 2018

Project Member
Labels: -M-67 Target-68 M-68

Comment 15 by sheriffbot@chromium.org, Sep 5

Project Member
Labels: -M-68 M-69 Target-69

Comment 16 by sheriffbot@chromium.org, Oct 17

Project Member
Labels: -M-69 Target-70 M-70

Comment 17 by jdeblasio@chromium.org, Oct 18

Cc: jdeblasio@chromium.org

Comment 18 by mea...@chromium.org, Oct 19

Labels: idn-spoof

Comment 19 by bugdroid1@chromium.org, Oct 23

Project Member
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/af38308b7112bdfbc0cfcc27f966314accc471d0

commit af38308b7112bdfbc0cfcc27f966314accc471d0
Author: Joe DeBlasio <jdeblasio@chromium.org>
Date: Tue Oct 23 18:30:11 2018

Mapping several Indic characters to confusables.

A number of characters from several Indian scripts are confusable,
especially with numbers. This change maps these characters to their
ASCII lookalike to allow fallback to punycode when displaying probable
spoofing URLs.

Bug:  849421 
Bug:  892646 
Bug:  896722 
Change-Id: I6d463642f3541454dc39bf4b32b8291417697c52
Reviewed-on: https://chromium-review.googlesource.com/c/1295179
Reviewed-by: Tommy Li <tommycli@chromium.org>
Commit-Queue: Joe DeBlasio <jdeblasio@chromium.org>
Cr-Commit-Position: refs/heads/master@{#602032}
[modify] https://crrev.com/af38308b7112bdfbc0cfcc27f966314accc471d0/components/url_formatter/idn_spoof_checker.cc
[modify] https://crrev.com/af38308b7112bdfbc0cfcc27f966314accc471d0/components/url_formatter/top_domains/test_domains.list
[modify] https://crrev.com/af38308b7112bdfbc0cfcc27f966314accc471d0/components/url_formatter/top_domains/test_domains.skeletons
[modify] https://crrev.com/af38308b7112bdfbc0cfcc27f966314accc471d0/components/url_formatter/url_formatter_unittest.cc

Comment 20 by mea...@chromium.org, Oct 24

Blockedon: 898343

Comment 21 by chromium...@gmail.com, Oct 27

Verified today on 72.0.3592.0 canary. Fixed.
Screen Shot 2018-10-27 at 01.29.00.png
25.7 KB View Download

Comment 22 by chromium...@gmail.com, Oct 31

(Ping) - Shouldn’t be marked as “Fixed”?

Comment 23 by mea...@chromium.org, Oct 31

Cc: -jdeblasio@chromium.org mea...@chromium.org
Owner: jdeblasio@chromium.org
Status: Fixed (was: Assigned)

Comment 24 by sheriffbot@chromium.org, Nov 1

Project Member
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify

Comment 25 by awhalley@chromium.org, Nov 5

Labels: reward-topanel

Comment 26 by sheriffbot@chromium.org, Nov 5

Project Member
Labels: Merge-Request-71

Comment 27 by sheriffbot@chromium.org, Nov 5

Project Member
Labels: -Merge-Request-71 Hotlist-Merge-Review Merge-Review-71
This bug requires manual review: M71 has already been promoted to the beta branch, so this requires manual review
Please contact the milestone owner if you have questions.
Owners: benmason@(Android), kariahda@(iOS), kbleicher@(ChromeOS), govind@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 28 by jdeblasio@chromium.org, Nov 5

Blockedon: -898343
Labels: -Hotlist-Merge-Review -Target-67 -Target-68 -Target-69 -Target-70 -M-70 -Merge-Review-71 Target-72 M-72

Comment 29 by awhalley@google.com, Nov 12

Labels: -reward-topanel reward-0
The VRP panel declined to reward for this bug, I'm afraid.

Comment 30 by awhalley@google.com, Jan 28

Labels: Release-0-M72

Comment 31 by awhalley@chromium.org, Jan 28

Labels: CVE-2019-5777 CVE_description-missing

Comment 32 by sheriffbot@chromium.org, Feb 7

Project Member
Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 33 by awhalley@chromium.org, Today (5 hours ago)

Labels: -CVE_description-missing CVE_description-submitted

Sign in to add a comment