New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Closed: Oct 23
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 1
Type: Bug-Security
Team-Security-UX



Sign in to add a comment
link

Issue 896722: Security: IDN URL Spoofing with U+0a67

Reported by evi1m0.bat@gmail.com, Oct 18

Issue description

UserAgent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.67 Safari/537.36

Steps to reproduce the problem:
### SPOOF CASE

(\u0a67)(\u09ed) "੧" "৭" looks like an "q", it's not easy to catch the spoofing.

Real: https://੧੧.com --- Spoof domain: https://xn--pcca.com/

What is the expected behavior?

What went wrong?
idn spoof

Did this work before? N/A 

Chrome version: 70.0.3538.67  Channel: stable
OS Version: 10.0
Flash Version:
 

Comment 1 by infe...@chromium.org, Oct 18

Components: UI>Security>UrlFormatting UI>Internationalization
Labels: Target-71 Security_Severity-Medium M-71 Security_Impact-Stable
Owner: mea...@chromium.org
Status: Assigned (was: Unconfirmed)

Comment 2 by sheriffbot@chromium.org, Oct 19

Project Member
Labels: -Pri-2 Pri-1

Comment 3 by jdeblasio@chromium.org, Oct 19

Cc: mea...@chromium.org
Owner: jdeblasio@chromium.org

Comment 4 by mea...@chromium.org, Oct 19

Labels: idn-spoof

Comment 5 by mea...@chromium.org, Oct 19

Labels: idn-spoof

Comment 6 by jdeblasio@chromium.org, Oct 22

Status: Started (was: Assigned)

Comment 7 by bugdroid1@chromium.org, Oct 23

Project Member
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/af38308b7112bdfbc0cfcc27f966314accc471d0

commit af38308b7112bdfbc0cfcc27f966314accc471d0
Author: Joe DeBlasio <jdeblasio@chromium.org>
Date: Tue Oct 23 18:30:11 2018

Mapping several Indic characters to confusables.

A number of characters from several Indian scripts are confusable,
especially with numbers. This change maps these characters to their
ASCII lookalike to allow fallback to punycode when displaying probable
spoofing URLs.

Bug:  849421 
Bug:  892646 
Bug:  896722 
Change-Id: I6d463642f3541454dc39bf4b32b8291417697c52
Reviewed-on: https://chromium-review.googlesource.com/c/1295179
Reviewed-by: Tommy Li <tommycli@chromium.org>
Commit-Queue: Joe DeBlasio <jdeblasio@chromium.org>
Cr-Commit-Position: refs/heads/master@{#602032}
[modify] https://crrev.com/af38308b7112bdfbc0cfcc27f966314accc471d0/components/url_formatter/idn_spoof_checker.cc
[modify] https://crrev.com/af38308b7112bdfbc0cfcc27f966314accc471d0/components/url_formatter/top_domains/test_domains.list
[modify] https://crrev.com/af38308b7112bdfbc0cfcc27f966314accc471d0/components/url_formatter/top_domains/test_domains.skeletons
[modify] https://crrev.com/af38308b7112bdfbc0cfcc27f966314accc471d0/components/url_formatter/url_formatter_unittest.cc

Comment 8 by jdeblasio@chromium.org, Oct 23

Status: Fixed (was: Started)

Comment 9 by sheriffbot@chromium.org, Oct 24

Project Member
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify

Comment 10 by awhalley@chromium.org, Oct 31

Labels: reward-topanel

Comment 11 by sheriffbot@chromium.org, Nov 1

Project Member
Labels: Merge-Request-71

Comment 12 by sheriffbot@chromium.org, Nov 1

Project Member
Labels: -Merge-Request-71 Hotlist-Merge-Review Merge-Review-71
This bug requires manual review: M71 has already been promoted to the beta branch, so this requires manual review
Please contact the milestone owner if you have questions.
Owners: benmason@(Android), kariahda@(iOS), kbleicher@(ChromeOS), govind@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 13 by gov...@chromium.org, Nov 1

Cc: awhalley@chromium.org benmason@chromium.org
+awhalley@ (Security TPM) for M71 merge review.

Comment 14 by awhalley@google.com, Nov 1

Labels: -Hotlist-Merge-Review -M-71 -Target-71 -Merge-Review-71 Target-72 M-72 Merge-Rejected-71

Comment 15 by awhalley@google.com, Nov 2

I'm afraid the VRP panel declined to reward for this bug either.

Comment 16 by awhalley@google.com, Nov 7

Labels: -reward-topanel reward-0

Comment 17 by awhalley@google.com, Jan 28

Labels: Release-0-M72

Comment 18 by awhalley@chromium.org, Jan 28

Labels: CVE-2019-5775 CVE_description-missing

Comment 19 by jdeblasio@chromium.org, Jan 28

Components: UI>Browser>Omnibox

Comment 20 by sheriffbot@chromium.org, Jan 30

Project Member
Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 21 by awhalley@chromium.org, Today (5 hours ago)

Labels: -CVE_description-missing CVE_description-submitted

Sign in to add a comment