New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Closed: Oct 24
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 1
Type: Bug-Security
Team-Security-UX



Sign in to add a comment
link

Issue 896725: Security: IDN URL Spoofing with U+0a24

Reported by evi1m0.bat@gmail.com, Oct 18

Issue description

UserAgent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.67 Safari/537.36

Steps to reproduce the problem:
### SPOOF CASE

(\u0a24) "ਤ" looks like an "3", it's not easy to catch the spoofing.

Real: https://16ਤ.com --- Spoof domain: https://www.xn--16-vbg.com/

What is the expected behavior?

What went wrong?
IDN SPOOF

Did this work before? N/A 

Chrome version: 70.0.3538.67  Channel: stable
OS Version: 10.0
Flash Version:
 
20181019003159.png
9.9 KB View Download
2_20181019003215.png
2.0 KB View Download

Comment 1 by infe...@chromium.org, Oct 18

Components: UI>Security>UrlFormatting UI>Internationalization
Labels: -Pri-2 Target-71 Security_Severity-Medium M-71 Security_Impact-Stable Pri-1
Owner: mea...@chromium.org
Status: Assigned (was: Unconfirmed)

Comment 2 by jdeblasio@chromium.org, Oct 19

Cc: mea...@chromium.org
Owner: jdeblasio@chromium.org

Comment 3 by mea...@chromium.org, Oct 19

Labels: idn-spoof

Comment 4 by mea...@chromium.org, Oct 19

Labels: idn-spoof

Comment 5 by jdeblasio@chromium.org, Oct 24

Status: Started (was: Assigned)

Comment 6 by bugdroid1@chromium.org, Oct 24

Project Member
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/631450dbc524bca6809145ca6e08491704ad64b8

commit 631450dbc524bca6809145ca6e08491704ad64b8
Author: Joe DeBlasio <jdeblasio@chromium.org>
Date: Wed Oct 24 17:40:00 2018

Map U+0A24 to '3' in the list of IDN confusables.

Unicode character U+0A24 is easily confused with a '3'. This CL adds
this character to the list of confusable characters to use when
determining whether to render IDNs as punycode instead of their unicode
representation.

R=tommycli@chromium.org

Bug:  896725 
Change-Id: Ieaa38b5977b9afb454e672461722f3c8be9a2a2c
Reviewed-on: https://chromium-review.googlesource.com/c/1297638
Reviewed-by: Tommy Li <tommycli@chromium.org>
Commit-Queue: Joe DeBlasio <jdeblasio@chromium.org>
Cr-Commit-Position: refs/heads/master@{#602383}
[modify] https://crrev.com/631450dbc524bca6809145ca6e08491704ad64b8/components/url_formatter/idn_spoof_checker.cc
[modify] https://crrev.com/631450dbc524bca6809145ca6e08491704ad64b8/components/url_formatter/url_formatter_unittest.cc

Comment 7 by jdeblasio@chromium.org, Oct 24

Status: Fixed (was: Started)

Comment 8 by sheriffbot@chromium.org, Oct 25

Project Member
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify

Comment 9 by awhalley@chromium.org, Oct 31

Labels: reward-topanel

Comment 10 by sheriffbot@chromium.org, Nov 1

Project Member
Labels: Merge-Request-71

Comment 11 by sheriffbot@chromium.org, Nov 1

Project Member
Labels: -Merge-Request-71 Hotlist-Merge-Review Merge-Review-71
This bug requires manual review: M71 has already been promoted to the beta branch, so this requires manual review
Please contact the milestone owner if you have questions.
Owners: benmason@(Android), kariahda@(iOS), kbleicher@(ChromeOS), govind@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 12 by jdeblasio@chromium.org, Nov 1

Labels: -Hotlist-Merge-Review -Security_Severity-Medium -M-71 -Target-71 -Merge-Review-71 Target-72 M-72 Security_Severity-Low

Comment 13 by awhalley@google.com, Nov 2

I'm afraid the VRP panel declined to reward for this bug, as is often the case for low severity issues.

Comment 14 by awhalley@google.com, Nov 7

Labels: -reward-topanel reward-0

Comment 15 by awhalley@google.com, Jan 28

Labels: Release-0-M72

Comment 16 by awhalley@chromium.org, Jan 28

Labels: CVE-2019-5781 CVE_description-missing

Comment 17 by jdeblasio@chromium.org, Jan 28

Components: UI>Browser>Omnibox

Comment 18 by sheriffbot@chromium.org, Jan 31

Project Member
Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 19 by awhalley@chromium.org, Today (5 hours ago)

Labels: -CVE_description-missing CVE_description-submitted

Sign in to add a comment