New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Closed: Oct 17
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Android , Windows , iOS , Chrome , Mac
Pri: 1
Type: Bug-Security
Team-Security-UX



Sign in to add a comment
link

Issue 863663: Security:IDN url spoofing using U+0517(ԗ)

Reported by zxyrz...@gmail.com, Jul 14 2018

Issue description

UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36

Steps to reproduce the problem:
http://xn--80ak6a69bhl.com/

What is the expected behavior?

What went wrong?
U+0517(ԗ) in address bar looks like p

Did this work before? N/A 

Chrome version: 67.0.3396.99  Channel: stable
OS Version: 10.0
Flash Version: Shockwave Flash 30.0 r0
 

Comment 1 by est...@chromium.org, Jul 14 2018

Components: UI>Browser>Omnibox UI>Security>UrlFormatting
Labels: -Pri-2 M-69 Security_Severity-Medium Security_Impact-Stable Pri-1
Owner: mea...@chromium.org
Status: Assigned (was: Unconfirmed)
Over to meacer for triage. On my Mac this doesn't look very convincing (see screenshot) but maybe it looks different elsewhere.
Screen Shot 2018-07-14 at 8.24.42 AM.png
8.1 KB View Download

Comment 2 by zxyrz...@gmail.com, Jul 14 2018

I forgot to attach my screenshot, both on my mac and windows machine
mac.png
7.7 KB View Download
windows.jpg
2.5 KB View Download

Comment 3 by sheriffbot@chromium.org, Jul 28 2018

Project Member
meacer: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 4 by sheriffbot@chromium.org, Aug 12

Project Member
meacer: Uh oh! This issue still open and hasn't been updated in the last 29 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 5 by meacer@google.com, Oct 15

Cc: livvielin@chromium.org mea...@chromium.org
Owner: jdeblasio@chromium.org

Comment 6 by sheriffbot@chromium.org, Oct 17

Project Member
Labels: -M-69 Target-70 M-70

Comment 7 by jdeblasio@chromium.org, Oct 17

Status: Started (was: Assigned)

Comment 8 by bugdroid1@chromium.org, Oct 17

Project Member
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/4d666348de3f67d5cb7b5401f0f69f6b9d3719eb

commit 4d666348de3f67d5cb7b5401f0f69f6b9d3719eb
Author: Joe DeBlasio <jdeblasio@chromium.org>
Date: Wed Oct 17 22:50:50 2018

Include U+0517 in set of Cyrillic/Latin lookalikes.

Cyrillic letter U+0517 (ԗ) looks somewhat similar to the Latin letter p.
This CL adds this character to the set of Cyrillic characters that look
like Latin characters. Domains made up entirely of Cyrillic/Latin
lookalikes are displayed as punycode in URLs.

Bug:  863663 
Change-Id: I4340c48d124c9c4cd3d3b5d0f9d3865d709e082d
Reviewed-on: https://chromium-review.googlesource.com/c/1286825
Commit-Queue: Joe DeBlasio <jdeblasio@chromium.org>
Commit-Queue: Peter Kasting <pkasting@chromium.org>
Reviewed-by: Peter Kasting <pkasting@chromium.org>
Cr-Commit-Position: refs/heads/master@{#600582}
[modify] https://crrev.com/4d666348de3f67d5cb7b5401f0f69f6b9d3719eb/components/url_formatter/idn_spoof_checker.cc
[modify] https://crrev.com/4d666348de3f67d5cb7b5401f0f69f6b9d3719eb/components/url_formatter/url_formatter_unittest.cc

Comment 9 by jdeblasio@chromium.org, Oct 17

Labels: OS-Android OS-Chrome OS-iOS OS-Linux OS-Mac
Status: Fixed (was: Started)

Comment 10 by sheriffbot@chromium.org, Oct 18

Project Member
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify

Comment 11 by mea...@chromium.org, Oct 19

Labels: idn-spoof

Comment 12 by mea...@chromium.org, Oct 19

Labels: idn-spoof

Comment 13 by awhalley@chromium.org, Oct 22

Labels: reward-topanel

Comment 14 by sheriffbot@chromium.org, Oct 26

Project Member
Labels: Merge-Request-71

Comment 15 by sheriffbot@chromium.org, Oct 26

Project Member
Labels: -Merge-Request-71 Hotlist-Merge-Review Merge-Review-71
This bug requires manual review: M71 has already been promoted to the beta branch, so this requires manual review
Please contact the milestone owner if you have questions.
Owners: benmason@(Android), kariahda@(iOS), kbleicher@(ChromeOS), govind@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 16 by jdeblasio@chromium.org, Oct 26

Labels: -Merge-Review-71

Comment 17 by jdeblasio@chromium.org, Oct 26

Labels: -Hotlist-Merge-Review

Comment 18 by awhalley@google.com, Oct 31

Labels: -reward-topanel reward-0
Hi zxyrzg02@, thanks for the report! I'm afraid the VRP panel decided to track this as a low severity bug, and as such won't be rewarding for it.

Comment 19 by awhalley@google.com, Dec 4

Labels: -Target-70 -M-70 Target-72 M-72

Comment 20 by sheriffbot@chromium.org, Jan 24

Project Member
Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 21 by awhalley@google.com, Jan 28

Labels: Release-0-M72

Comment 22 by awhalley@chromium.org, Jan 28

Labels: CVE-2019-5776 CVE_description-missing

Comment 23 by awhalley@chromium.org, Today (6 hours ago)

Labels: -CVE_description-missing CVE_description-submitted

Sign in to add a comment