New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 1 user

Issue metadata

Status: Fixed
Closed: Oct 23
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 1
Type: Bug-Security

Sign in to add a comment

Issue 896722: Security: IDN URL Spoofing with U+0a67

Reported by, Oct 18

Issue description

UserAgent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.67 Safari/537.36

Steps to reproduce the problem:

(\u0a67)(\u09ed) "੧" "৭" looks like an "q", it's not easy to catch the spoofing.

Real: https://੧੧.com --- Spoof domain:

What is the expected behavior?

What went wrong?
idn spoof

Did this work before? N/A 

Chrome version: 70.0.3538.67  Channel: stable
OS Version: 10.0
Flash Version:

Comment 1 by, Oct 18

Components: UI>Security>UrlFormatting UI>Internationalization
Labels: Target-71 Security_Severity-Medium M-71 Security_Impact-Stable
Status: Assigned (was: Unconfirmed)

Comment 2 by, Oct 19

Project Member
Labels: -Pri-2 Pri-1

Comment 3 by, Oct 19


Comment 4 by, Oct 19

Labels: idn-spoof

Comment 5 by, Oct 19

Labels: idn-spoof

Comment 6 by, Oct 22

Status: Started (was: Assigned)

Comment 7 by, Oct 23

Project Member
The following revision refers to this bug:

commit af38308b7112bdfbc0cfcc27f966314accc471d0
Author: Joe DeBlasio <>
Date: Tue Oct 23 18:30:11 2018

Mapping several Indic characters to confusables.

A number of characters from several Indian scripts are confusable,
especially with numbers. This change maps these characters to their
ASCII lookalike to allow fallback to punycode when displaying probable
spoofing URLs.

Bug:  849421 
Bug:  892646 
Bug:  896722 
Change-Id: I6d463642f3541454dc39bf4b32b8291417697c52
Reviewed-by: Tommy Li <>
Commit-Queue: Joe DeBlasio <>
Cr-Commit-Position: refs/heads/master@{#602032}

Comment 8 by, Oct 23

Status: Fixed (was: Started)

Comment 9 by, Oct 24

Project Member
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify

Comment 10 by, Oct 31

Labels: reward-topanel

Comment 11 by, Nov 1

Project Member
Labels: Merge-Request-71

Comment 12 by, Nov 1

Project Member
Labels: -Merge-Request-71 Hotlist-Merge-Review Merge-Review-71
This bug requires manual review: M71 has already been promoted to the beta branch, so this requires manual review
Please contact the milestone owner if you have questions.
Owners: benmason@(Android), kariahda@(iOS), kbleicher@(ChromeOS), govind@(Desktop)

For more details visit - Your friendly Sheriffbot

Comment 13 by, Nov 1

+awhalley@ (Security TPM) for M71 merge review.

Comment 14 by, Nov 1

Labels: -Hotlist-Merge-Review -M-71 -Target-71 -Merge-Review-71 Target-72 M-72 Merge-Rejected-71

Comment 15 by, Nov 2

I'm afraid the VRP panel declined to reward for this bug either.

Comment 16 by, Nov 7

Labels: -reward-topanel reward-0

Comment 17 by, Jan 28

Labels: Release-0-M72

Comment 18 by, Jan 28

Labels: CVE-2019-5775 CVE_description-missing

Comment 19 by, Jan 28

Components: UI>Browser>Omnibox

Comment 20 by, Jan 30

Project Member
Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit - Your friendly Sheriffbot

Comment 21 by, Today (5 hours ago)

Labels: -CVE_description-missing CVE_description-submitted

Sign in to add a comment