New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 1 user

Issue metadata

Status: Fixed
Closed: Oct 24
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 1
Type: Bug-Security

Sign in to add a comment

Issue 896725: Security: IDN URL Spoofing with U+0a24

Reported by, Oct 18

Issue description

UserAgent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.67 Safari/537.36

Steps to reproduce the problem:

(\u0a24) "ਤ" looks like an "3", it's not easy to catch the spoofing.

Real: https://16ਤ.com --- Spoof domain:

What is the expected behavior?

What went wrong?

Did this work before? N/A 

Chrome version: 70.0.3538.67  Channel: stable
OS Version: 10.0
Flash Version:
9.9 KB View Download
2.0 KB View Download

Comment 1 by, Oct 18

Components: UI>Security>UrlFormatting UI>Internationalization
Labels: -Pri-2 Target-71 Security_Severity-Medium M-71 Security_Impact-Stable Pri-1
Status: Assigned (was: Unconfirmed)

Comment 2 by, Oct 19


Comment 3 by, Oct 19

Labels: idn-spoof

Comment 4 by, Oct 19

Labels: idn-spoof

Comment 5 by, Oct 24

Status: Started (was: Assigned)

Comment 6 by, Oct 24

Project Member
The following revision refers to this bug:

commit 631450dbc524bca6809145ca6e08491704ad64b8
Author: Joe DeBlasio <>
Date: Wed Oct 24 17:40:00 2018

Map U+0A24 to '3' in the list of IDN confusables.

Unicode character U+0A24 is easily confused with a '3'. This CL adds
this character to the list of confusable characters to use when
determining whether to render IDNs as punycode instead of their unicode

Bug:  896725 
Change-Id: Ieaa38b5977b9afb454e672461722f3c8be9a2a2c
Reviewed-by: Tommy Li <>
Commit-Queue: Joe DeBlasio <>
Cr-Commit-Position: refs/heads/master@{#602383}

Comment 7 by, Oct 24

Status: Fixed (was: Started)

Comment 8 by, Oct 25

Project Member
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify

Comment 9 by, Oct 31

Labels: reward-topanel

Comment 10 by, Nov 1

Project Member
Labels: Merge-Request-71

Comment 11 by, Nov 1

Project Member
Labels: -Merge-Request-71 Hotlist-Merge-Review Merge-Review-71
This bug requires manual review: M71 has already been promoted to the beta branch, so this requires manual review
Please contact the milestone owner if you have questions.
Owners: benmason@(Android), kariahda@(iOS), kbleicher@(ChromeOS), govind@(Desktop)

For more details visit - Your friendly Sheriffbot

Comment 12 by, Nov 1

Labels: -Hotlist-Merge-Review -Security_Severity-Medium -M-71 -Target-71 -Merge-Review-71 Target-72 M-72 Security_Severity-Low

Comment 13 by, Nov 2

I'm afraid the VRP panel declined to reward for this bug, as is often the case for low severity issues.

Comment 14 by, Nov 7

Labels: -reward-topanel reward-0

Comment 15 by, Jan 28

Labels: Release-0-M72

Comment 16 by, Jan 28

Labels: CVE-2019-5781 CVE_description-missing

Comment 17 by, Jan 28

Components: UI>Browser>Omnibox

Comment 18 by, Jan 31

Project Member
Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit - Your friendly Sheriffbot

Comment 19 by, Today (5 hours ago)

Labels: -CVE_description-missing CVE_description-submitted

Sign in to add a comment