Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Shmoo Group Finds Exploit For non-IE Browsers

Hemos posted more than 9 years ago | from the even-mozilla-is-guilty dept.

Security 621

shut_up_man writes "Saw this on Boing Boing: East coast hacker con Shmoocon ended today and they had a nasty browser exploit to show off... using International Domain Name (IDN) character support to display fake domain names in links and the address bar. Their examples use Paypal (with SSL too) and this looks very useful for phishing attacks. Interesting note that it works in every browser *except* IE (which makes this exploit a lot less dangerous in the end, I suppose)."v The reason IE isn't vulnerable is because it doesn't natively support IDN; with the right plug-in, it too is vulnerable.

cancel ×

621 comments

IE and Firefox (-1)

Anonymous Coward | more than 9 years ago | (#11596595)

In Internet Explorer 6 (Windows 2000 SP4), it does fake the mouseover status bar, so there's potentially some use there.

In Firefox, you can still find the true site via looking at the certificate, or by viewing source. I'm sure 1.0.1 will be out soon to fix it.

Re:IE and Firefox (0)

naylor83 (836780) | more than 9 years ago | (#11596619)

Yes, I sure hope so, since this seems pretty serious.

LastMeasure hits the 100000 watermark (-1, Troll)

Yahweh Seba'ot (856211) | more than 9 years ago | (#11596596)

LastMeasure hits the 100000 watermark
Zeikfried - Reuters, Nigeria

In a self congratulatory press conference described by one historical analyst as to be "worth 10 Dresdens", the now world famous egalitarians of the Gay Nigger Association of America announced to the worlds press that their highly successful open source lastmeasure project has now reached over one hundred thousand homes across the world.

Amidst a snowstorm of tickertape and parade like festivity, Penisbird, one of the founders of the LastMeasure project, screeched triumphantly from his now gold plated dong perch that the exponental growth of the sought after shock site can only continue. And even those outside the GNAAs dark skinned sphere of influence can only agree, in the face of the cutting edge "xangadot" marketing techniques applied by GNAA LM sales reps Incog, Saturn, Trake, qat, and Zeikfred Tuvai.

The sheer ferocity of the xangadot effect has caught many by surprise, none more so than xanga spokesperson AzN_ThuG_08, who was quoted as saying "MUTHAFUCKA TAKE DOWN MAH SITE...BITCH IM LETTIN U...FUCK DIS SITE AND FUCK U TOO. I CAN MAKE A NEW ONE I GOT THA TIME u stupid muthafucka" before driving his nitroglycerin laced riced up honda into GNAA Headquarters in a suicidal and dastardly attempt to decapitate the GNAA leadership. Thankfully the 140 decibel exhaust of the now vapourised vehicle allowed the surrounding buildings to be evacuated several minutes before the atrocity took place.

Speaking from his converted 1970's brothel, overpaid financial analyst Gary Niger told Reuters, "The effects of what has been dubbed the 'Open Source Final Solution' can be felt in almost every area of digital society. A striking example of this would be the once worthless .info TLD being re-energised with a huge cash and semen injection from the GNAA LastMeasure project, punctuated by Netcrafts recent confirmation that the GNAA has now gained a massive controlling stake in .info over the course of the past 2 months".

Can this momentum continue? Or has LastMeasure reached its unsurpassable xenith, with the only way left down? GNAA President timecop refused to comment, instead choosing to bathe naked in a pool of Yen laughing insanely. The future seems bright.

About LastMeasure:

A primitive version of LastMeasure was concieved by Penisbird of the GNAA after playing with an AIM utility named AIM Invader. It offered Penisbird a myriad of ways to crash AIM clients. By far the most powerful crash was the "last measure" crash, which would inundate an AIM client with file transfer requests, buddy list sends, messages full of smileys and colors, until the AIM client crashed due to lack of RAM.

The LastMeasure site originally consisted of Penisbird, Goatse, Tubgirl, Lemonparty, and Shitfaced Lady. But has expanded to include many other of the internets treasured icons. And with the addition of StatsMeasure, the clipboard data of thousands of unwitting victims has now been exposed for the world to see.

For more information about LastMeasure, visit the official website, LastMeasure.com [lastmeasure.com]

LastMeasure is licensed under the BSD Version 2 License.


About GNAA:
GNAA (GAY NIGGER ASSOCIATION OF AMERICA) is the first organization which gathers GAY NIGGERS from all over America and abroad for one common goal - being GAY NIGGERS.

Are you GAY [klerck.org] ?
Are you a NIGGER [mugshots.org] ?
Are you a GAY NIGGER [gay-sex-access.com] ?

If you answered "Yes" to all of the above questions, then GNAA (GAY NIGGER ASSOCIATION OF AMERICA) might be exactly what you've been looking for!
Join GNAA (GAY NIGGER ASSOCIATION OF AMERICA) today, and enjoy all the benefits of being a full-time GNAA member.
GNAA (GAY NIGGER ASSOCIATION OF AMERICA) is the fastest-growing GAY NIGGER community with THOUSANDS of members all over United States of America and the World! You, too, can be a part of GNAA if you join today!

Why not? It's quick and easy - only 3 simple steps!
  • First, you have to obtain a copy of GAYNIGGERS FROM OUTER SPACE THE MOVIE [imdb.com] and watch it. You can download the movie [idge.net] (~130mb) using BitTorrent.
  • Second, you need to succeed in posting a GNAA First Post [wikipedia.org] on slashdot.org [slashdot.org] , a popular "news for trolls" website.
  • Third, you need to join the official GNAA irc channel #GNAA on irc.gnaa.us, and apply for membership.
Talk to one of the ops or any of the other members in the channel to sign up today! Upon submitting your application, you will be required to submit links to your successful First Post, and you will be tested on your knowledge of GAYNIGGERS FROM OUTER SPACE.

If you are having trouble locating #GNAA, the official GAY NIGGER ASSOCIATION OF AMERICA irc channel, you might be on a wrong irc network. The correct network is NiggerNET, and you can connect to irc.gnaa.us as our official server. Follow this link [irc] if you are using an irc client such as mIRC.

If you have mod points and would like to support GNAA, please moderate this post up.

.________________________________________________.
| ______________________________________._a,____ | Press contact:
| _______a_._______a_______aj#0s_____aWY!400.___ | Gary Niger
| __ad#7!!*P____a.d#0a____#!-_#0i___.#!__W#0#___ | gary_niger@gnaa.us [mailto]
| _j#'_.00#,___4#dP_"#,__j#,__0#Wi___*00P!_"#L,_ | GNAA Corporate Headquarters
| _"#ga#9!01___"#01__40,_"4Lj#!_4#g_________"01_ | 143 Rolloffle Avenue
| ________"#,___*@`__-N#____`___-!^_____________ | Tarzana, California 91356
| _________#1__________?________________________ |
| _________j1___________________________________ | All other inquiries:
| ____a,___jk_GAY_NIGGER_ASSOCIATION_OF_AMERICA_ | Enid Indian
| ____!4yaa#l___________________________________ | enid_indian@gnaa.us [mailto]
| ______-"!^____________________________________ | GNAA World Headquarters
` _______________________________________________' 160-0023 Japan Tokyo-to Shinjuku-ku Nishi-Shinjuku 3-20-2

Copyright (c) 2003-2004 Gay Nigger Association of America [www.gnaa.us]

Re:LastMeasure hits the 100000 watermark (0)

Anonymous Coward | more than 9 years ago | (#11596822)

do you even know what a watermark is? How the hell did you hit the 100000 watermark?

Another IDN bug on Firefox (5, Informative)

IO ERROR (128968) | more than 9 years ago | (#11596597)

When trying this out on Firefox on Linux, I noticed that the URL in the address bar is rendered two or three pixels lower than normal. If you're paying close attention, this is easy to spot. Also, the "real" URL appears in the status bar while the spoofed page is being loaded, i.e. "Looking up www.xn--pypal-4ve.com..."

To disable IDN as a workaround for this problem (on Gecko-based browsers): hit about:config [about] and set network.enableIDN to false.

Re:Another IDN bug on Firefox (-1, Troll)

Saven Marek (739395) | more than 9 years ago | (#11596636)

Another thing as well, this can't really be counted as a Linux vulnerability, if you look at the source code either in an email message or in the browser, it's clear as day that it's not going to the real paypal.com

This is just more FUD people

my blog [savenmarek.org]

Re:Another IDN bug on Firefox (5, Insightful)

drinkypoo (153816) | more than 9 years ago | (#11596677)

I hope you do realize that on most computers, if the view source tool has ever been used, it was because the user hit it accidentally while trying to access another menu item or key combination...

Re:Another IDN bug on Firefox (0)

Saven Marek (739395) | more than 9 years ago | (#11596747)

You can't blame the browser when people refuse to use features that can protect them.

Re:Another IDN bug on Firefox (1)

stryke3 (856078) | more than 9 years ago | (#11596824)

Even if they don't check the source, paypal warns all the time not to click on links in emails or to use url links on pages to get to paypal. They want you to type in their domain in the address bar and login from there.

Re:Another IDN bug on Firefox (5, Informative)

vivin (671928) | more than 9 years ago | (#11596686)

Who says this is a Linux vulnerability? This is a browser vulnerability.

Browsers != Linux.

And it's not FUD - it is an actual problem. It sure tricked Firefox running on my windows machine.

Re:Another IDN bug on Firefox (2, Informative)

Anonymous Coward | more than 9 years ago | (#11596700)

1) It isn't a Linux vulnerability, it is an IDN phishing vulnerability that affects Firefox amongst other browsers
2) Most people don't look at the source code!
3) Hence it is a phishing vulnerability, i.e., masquerade to fool the average user
4) It certainly isn't FUD when your non-geek relative loses a lot of money by one of these phishing attacks

Re:Another IDN bug on Firefox (2, Insightful)

NanoGator (522640) | more than 9 years ago | (#11596783)

"This is just more FUD people"

Ah, I get it. When it's about FireFox, it's FUD. When it's about Microsoft, it's just another reason to switch. Am I getting warm?

Re:Another IDN bug on Firefox (1)

Ced_Ex (789138) | more than 9 years ago | (#11596854)

Another thing as well, this can't really be counted as a Linux vulnerability, if you look at the source code either in an email message or in the browser, it's clear as day that it's not going to the real paypal.com

You are assuming everyone double checks their links by reading the source code.

Re:Another IDN bug on Firefox (5, Insightful)

Tetsugaku-San (717792) | more than 9 years ago | (#11596679)

yeah, cos we ALL watch that stuff - and my monitor is at 320x200 so 3 pixels out is easy to spot . . . .

Re:Another IDN bug on Firefox (1, Insightful)

Anonymous Coward | more than 9 years ago | (#11596683)

Firefox 1.0 on Windows with IDN off and a cleared cache is still affected (even after a restart of firefox).

Re:Another IDN bug on Firefox (4, Informative)

Troed (102527) | more than 9 years ago | (#11596697)

Works 100% as advertised in Opera. No easy way to spot it's fake.

On the other hand, this is nothing new. This was predicted a long time ago when debating on how to handle websites with charactersets incompatible with the ones used in Western countries ..

Re:Another IDN bug on Firefox (4, Informative)

squiggleslash (241428) | more than 9 years ago | (#11596733)

Just tried it on Safari, and unfortunately none of the "bugs" that occur in Firefox that give the game away are present. Mouseover looks like Paypal. Connecting message shows nothing untoward. Renders as "www.paypal.com" in the regular font and location on the URL bar.

I wonder if there's a quick and easy fix for this for Safari users, like there is for Firefox (about:config, network.enableIDN -> false.)

Re:Another IDN bug on Firefox (1, Interesting)

Saven Marek (739395) | more than 9 years ago | (#11596774)

> I wonder if there's a quick and easy fix for this for Safari users

Look at the source, its obvious there

Re:Another IDN bug on Firefox (3, Informative)

duvie (692383) | more than 9 years ago | (#11596794)

One: the setting of enableIDN to false appears to have NO effect.

Two: The only way to see that you are not at paypal (unless you notice the flash-by in the status bar) is to look at the certificate details. For the POC site, the certificate was issued to "www.xn--pypal-4ve.com"

We all read those certs every time, neh?

Re:Another IDN bug on Firefox (2, Informative)

Digitalia (127982) | more than 9 years ago | (#11596797)

That did not work for me. Upon disabling IDN, I went back and tried the link again. It was still spoofed.

notepad (5, Informative)

leuk_he (194174) | more than 9 years ago | (#11596804)

If i copy /paste the link into notepad it just looks right And if i copuy /past it back to firefox i get the "spoofed" page back again.

next:

Trolls can have a couple of days fun on slashdot.

And verisign van sell a lot of domains to phishers. (profit!)

Re:Another IDN bug on Firefox (5, Informative)

finkployd (12902) | more than 9 years ago | (#11596841)

To disable IDN as a workaround for this problem (on Gecko-based browsers): hit about:config and set network.enableIDN to false.

That is a great suggestion, except for the part where it does not work.

Go ahead, make the change, then restart your browser. Now go look at about:config again. Yup, still set to false. Now go see if it the setting worked. It does not. So at least with Firefox 1.0 just took a bad situation and made it worse. Now people will think turning off this setting will actually accompolish something and protect them and it will not.

Finkployd

Re:Another IDN bug on Firefox (1)

Richard_at_work (517087) | more than 9 years ago | (#11596866)

It may show the correct address when loading, but hover over the link and paypal.com is still shown as the link in the status bar. Bit of a messy bug, but a dangerous bug all the same.

Are phishers going to bother with this, though? (5, Interesting)

The I Shing (700142) | more than 9 years ago | (#11596602)

I'm surprised to hear that Microsoft's refusal to adopt international standards in their browser actually thwarts a potential phishing attack rather than aiding it. If the problem can't be fixed in the browsers, maybe email clients and websites can find some way of decoding, detecting, and disabling such links. Are phishers going to bother trying to use this exploit if it works on less than 10% of their potential victims?

Re:Are phishers going to bother with this, though? (1)

LourensV (856614) | more than 9 years ago | (#11596724)

Well, it is just like a Windows XP virus not working on Windows 98 I guess, not that special.

I'm wondering whether it would be a good solution to warn the user if a URL uses characters from different scripts, maybe only if it's isolated characters. That way, if you had a URL consisting of two words in different scripts, it would still work, but if you replaced a single letter to fool the user they'd get a nicely coloured navbar (or something similar).

Re:Are phishers going to bother with this, though? (3, Insightful)

AbbyNormal (216235) | more than 9 years ago | (#11596732)

Cmon. We are all touting Firefox to be the next "Greatest" thing since sliced bread. I have it installed on most of my family's machines. What now when M$ turns this around and says: "See? Only MS prevented this flaw because of our proprietary tested..bla blah".

All it takes is 1% of the 10 percent.

Re:Are phishers going to bother with this, though? (4, Insightful)

moon-monster (712361) | more than 9 years ago | (#11596750)

> Are phishers going to bother trying to use this exploit if it works on less than 10% of their potential victims?

They sure are. Think about how many people actually respond to spam messages. It's probably much smaller than 0.01%, but it's still economical enough for the to send out the messages anyway. I'd be fairly confident that the same holds true for phishers, too.

Re:Are phishers going to bother with this, though? (0)

Saven Marek (739395) | more than 9 years ago | (#11596865)

> I'm surprised to hear that Microsoft's refusal to adopt
> international standards in their browser actually thwarts a
> potential phishing attack rather than aiding it.

The thing is this is another carry on effect where MS refusal to follow standards only hurts others. Now when a phish attack that can take advantage of this problem appears it will be designed to hit other browsers say firefox on linux or opera or konqueror. So because it only breaks on these browsers it will mean any attacks on them will be tailor made for their kinds of users, which is linux users.

So when a phish attack comes along attacking linux users it might phish for cvs passwords and other open source type things instead of just banking details. I consider this a big risk to some open source projects. I wonder what browser Linus uses??

If MS had followed standards they could not allow phishers to attack just a specific group like this, and phishers would have to act blindly like they are now only looking for generic things that affect most of the population.

Re:Are phishers going to bother with this, though? (1)

SenseiLeNoir (699164) | more than 9 years ago | (#11596867)

"I'm surprised to hear that Microsoft's refusal to adopt international standards in their browser actually thwarts a potential phishing attack rather than aiding it."

hey.. dont tell them that.. we actually want MS to ADD support, not remove it in the future....

New IE7, now with less CSS support, FOR YOUR SECURITY!!!!

And before you laugh.. rememebr we are touting Firefox is more secure, because of lack of ActiveX.

(Before you call me a troll, put yourself in the shoes of Joe Bloggs who hasnt a clue nor does care about the dangers of ActiveX)

Canned Slashdot Response (4, Funny)

bigtallmofo (695287) | more than 9 years ago | (#11596606)

Serves those Internet Explorer users right! They should immediately switch to ... uh, wait. Nevermind.

Re:Canned Slashdot Response (0)

Anonymous Coward | more than 9 years ago | (#11596757)

Makes me want to switch to IE...:/

fp (-1, Offtopic)

Anonymous Coward | more than 9 years ago | (#11596618)

i fail it!

So what? (5, Insightful)

Anonymous Coward | more than 9 years ago | (#11596621)

This isn't per-se a browser fault, it is more of a flaw in the IDN system.

Atleast, we can bash FF instead of IE now.

Re:So what? (4, Insightful)

kimba (12893) | more than 9 years ago | (#11596776)

It isn't even that. It is a fundamental side-effect with the the notion of internationalization, and the fact cyrillic and latin (and others) share the same letters. More specifically you may consider it can be pinned on the way Unicode enumerates characters (by giving different code points to letters rendered the same).

It isn't a fault of the browser or IDNs.

Switch (5, Funny)

Anonymous Coward | more than 9 years ago | (#11596626)

Damnit... now I'm switching back.

Re:Switch (1)

naylor83 (836780) | more than 9 years ago | (#11596742)

Heh.

IE also fails! (kinda) (4, Informative)

grandmofftarkin (49366) | more than 9 years ago | (#11596627)

The first thing I did was fire up IE (a rare occurrence) and test this. IE also failed (for me). Then I remembered that I have the i-Nav plug-in [idnnow.com] installed. Granted, this isn't actually a fault of IE then but rather the plugin. Though it should be noted that IE is only spared because (in it's default configuration, i.e. without the plugin) it doesn't support standards. In this case that standard is Punycode [wikipedia.org] .

This would actually appear to be a flaw in the Punycode standard rather than the browsers themselves, given that all IDN (internationalized domain name) aware browsers similarly fail.

Looks like someone may have to fix Punycode. Then we can update the browsers. In the mean time perhaps Opera, Firefox, etc. can given some kind of visual notification when Punycode is used, in the same way the URL turns yellow when a secure URL is entered in Firefox.

Re:IE also fails! (kinda) (-1, Flamebait)

Anonymous Coward | more than 9 years ago | (#11596684)

Spin it this way, that way. It doesn't matter. Firefox is vulnerable, IE isn't. I'm sorry guys but FIREFOX FAILS IT!

Re:IE also fails! (kinda) (0)

Anonymous Coward | more than 9 years ago | (#11596752)

Spin it this way, that way. It doesn't matter. Firefox is vulnerable, IE isn't. I'm sorry guys but FIREFOX FAILS IT!

In Soviet Russia, Cyrillic domain names exploit YOU!

Re:IE also fails! (kinda) (1)

grandmofftarkin (49366) | more than 9 years ago | (#11596784)

Spin it this way, that way. It doesn't matter. Firefox is vulnerable, IE isn't. I'm sorry guys but FIREFOX FAILS IT!

I didn't pass a comment on Firefox being superior (although it is). All I'm saying is that we need to either 'fix' the Punycode system (if this is possible) and/or put a visual clue in the browser when Punycode is being used.

Though why I'm taking the time to respond to a troll I don't know. I must be bored!

Re:IE also fails! (kinda) (1)

E IS mC(Square) (721736) | more than 9 years ago | (#11596755)

From TFA:


V. Workaround

You can disable IDN support in mozilla products by setting 'network.enableIDN' to false. There is no workaround known for Opera or Safari.


At least, FF users are safe once they turn off IDN support. God bless Opera/Safari users.

Why? (0, Troll)

sammykrupa (828537) | more than 9 years ago | (#11596633)

Are they telling every man and his dog by letting tihs get on /.? If they had just released some patches for Firefox and written up some help files for people this would not mean much.

Re:Why? (1, Funny)

Anonymous Coward | more than 9 years ago | (#11596699)

Hmm.. hiding exploits so that you can take your sweet time getting the fixes done? Do you work for Microsoft?

Hack works in firefox. (0, Redundant)

gigem4me (853521) | more than 9 years ago | (#11596635)

Just tried out the page in firefox. The links sure tricked my firefox browser. I start to get worried when IE is better against a Hack then Firefox. But then again my computer is not infested with spyware either. So firefox is doing something right.

Firefox 1.0 (4, Informative)

rubypossum (693765) | more than 9 years ago | (#11596642)

If you "View Source" for some weird reason the real address shows up in the title bar.

Shmoocon IDN Demo (1, Interesting)

Anonymous Coward | more than 9 years ago | (#11596646)

I was personally there. The demonstration of the IDN spoofing at shmoocon was hands down very disturbing. This will open new possibilities for fraud and phishers unless something is done about it. I suggest browsers point out when mixed-language characters are used in URL's this may help mitigate this severe issue.

-caes

obligatory Nelson responce (-1, Troll)

zagatka (832540) | more than 9 years ago | (#11596647)

HA HA!

Call me a flamer.... errr (1, Funny)

isa-kuruption (317695) | more than 9 years ago | (#11596648)

This is a good reason why we should just force all nations in the world to adopt a single language, English.

Erm of course... if I was French, I would just sed 's/English/French/' that last sentence and you wouldn't set me -1 Flaimbait.

Re:Call me a flamer.... errr (-1, Troll)

Turn-X Alphonse (789240) | more than 9 years ago | (#11596781)

Fine by me. You can go tell all them people living in the Jungle to use English, I suspect you won't be comming back, so goodbye to you sir.

Re:Call me a flamer.... errr (0)

Anonymous Coward | more than 9 years ago | (#11596821)

But why english? Because most people know it?

If that's the reason you might as well shove christianity down everybody's throat too. It's the most popular, right? Lets just declare all others inferior! Why not there'd be no religious wars then...right?

Choice in language is good.

This isn't a newly discovered exploit. (4, Insightful)

tgd (2822) | more than 9 years ago | (#11596650)

I can remember discussions about it years ago. I'd bet there may even be a /. article about it, although its not really worth searching to see.

This was a big part of the critisism around supporting larger character sets in domain names.

This has been hinted at (1)

ded_guy (698956) | more than 9 years ago | (#11596652)

in an entry in Michael Kaplan's blog [msdn.com] last month. That in turn mentions this entry [msdn.com] which talks about spoofing filenames using a similar method.

Opera won't fix it? (5, Informative)

MoonFog (586818) | more than 9 years ago | (#11596655)

From the text:
VI. Vendor Responses

Verisign: No response yet.
Apple: No response yet.
Opera: They believe they have correctly implemented IDN, and will not be making any changes.
Mozilla: Working on finding a good long-term solution; provided clear workaround for disabling IDN.

So, Opera won't fix it? They have a proof of concept, and Opera believe their implementation is correct? Maybe, but they still need to provide an update, and something tells me they will .. eventually.

Re:Opera won't fix it? (4, Insightful)

Wudbaer (48473) | more than 9 years ago | (#11596691)

The problem is not their implementation, which is likely correct. The problem is that the standard is "wrong" is this respect.

So it will be quite difficult to fix this without breaking and/or changing the standard.

Re:Opera won't fix it? (1)

MoonFog (586818) | more than 9 years ago | (#11596712)

You're probably correct, but that doesn't help the fact that their browser is vulnerable to this exploit. As the article summary states, they do not have an option to turn the use of IDN off.

Re:Opera won't fix it? (0)

Anonymous Coward | more than 9 years ago | (#11596744)

Hey RETARD!

No they don't...if IE had the plugin it would be vulnerable too but you couldn't yell at MS to fix it...the STANDARD is broke, not the browser. The browser just follows the standard like its supposed to.

Re:Opera won't fix it? (2, Interesting)

TheIndividual (812531) | more than 9 years ago | (#11596860)

The nice thing is that you don't need to break or change the standard. It just shows that you should think a little about something before you implement it, even if it a widely used standard.
In this case, why not introduce a warning popup if the domain name contains a unicode letter that looks like a normal ASCII letter.
Effort? One lookup table of "bad" unicode letters and a small if-statement before opening a link...

Re:Opera won't fix it? (2, Informative)

NanoGator (522640) | more than 9 years ago | (#11596748)

"So, Opera won't fix it? They have a proof of concept, and Opera believe their implementation is correct? Maybe, but they still need to provide an update, and something tells me they will .. eventually."

In case anybody's curious, Opera's broken, too.

I'm really kinda saddened by this. There was an exploit a year or two ago that worked in a similar way. It involved using an @ symbol in the header to disguise the true domain. At the time, Mozilla and IE were absolutely broken in that respect, but Opera was nice enough to put up a friendly message saying "Are ya sure you want to enter this particular domain?" (Kinda necessary, those @ symbols are useful.) Guess I just kinda expected more from Opera in this respect.

Re:Opera won't fix it? (5, Insightful)

TheIndividual (812531) | more than 9 years ago | (#11596763)

Well it isn't really a bug. Their implementation is correct it just suffers a flaw that IDN introduced. So from a technical point of view, the browser does what it is supposed to do. However it would be nice to see them implement some kind of protection against unicode letters looking like ASCII-letters. A warning popup or colour coding of those letter maybe.

I'm waiting the patch from MS (5, Funny)

gustgr (695173) | more than 9 years ago | (#11596658)

Ok, it doesn't work in IE... so when the patch will be released? I mean... it is IE, the exploits HAVE to work. Microsoft should be worried, they are not doing their job properly.

Re:I'm waiting the patch from MS (0)

Anonymous Coward | more than 9 years ago | (#11596825)

Yeah, someone will get fired for this! Especially given Billy's comments about interoperability lately.

Imagine, an exploit that IE is not vulnerable to... who'd a thunk it?

Re:I'm waiting the patch from MS (0)

Anonymous Coward | more than 9 years ago | (#11596826)

Actually since it is a broken standard that should be fixed, just goes to show M$ not following standards onece again. This is of course, the singular time that it's not that bad.

Known for years.... (4, Interesting)

Chris_Jefferson (581445) | more than 9 years ago | (#11596659)

Seriously, it's been known for years that adding international character sets was going to cause the problem of multiple identical (or almost identical) characters.

On the other hand, no-one really seems sure of the best way to fix it... One option is obviously to mark somehow when non-ASCII characters are used, but while this will help the people who only want ASCII URLs, it will still leave the problem for everyone who wants to use this extended system, making it effectively useless....

No, add new color codes (0)

Anonymous Coward | more than 9 years ago | (#11596741)

Okay, so right now white is plain ascii, yellow is secure ascii. Let's add gray for plain international, and orange for secure international.

Visual cues could be more refined than that (2, Interesting)

FreeUser (11483) | more than 9 years ago | (#11596857)

On the other hand, no-one really seems sure of the best way to fix it... One option is obviously to mark somehow when non-ASCII characters are used, but while this will help the people who only want ASCII URLs, it will still leave the problem for everyone who wants to use this extended system, making it effectively useless....

I think you're on the right track here.

Perhaps the best approach is to use a different font/different color for particular ranges of characters, or characters outside of one's locale setting, so e.g. if my local is Germany, and cyrillic or french accent-grave or what have you characters are loaded, then display that character in bold, or in red, or what have you. Also, tint the background of the URL pink or something, so if the offending character is scrolled off the end of the URL field, the user still gets a visual clue that something is wrong.

I'm sure there are other possibilities, like putting a little warning at the top whenever characters are in the URL that are strikingly similiar to characters in the default local OR standard ASCII, specifying what the character is and perhaps stating something like "http://spo0furl.com IS NOT THE SAME as http://spoofurl.com".

IDNs were a bad idea anyway (4, Interesting)

Anonymous Coward | more than 9 years ago | (#11596663)

Except when implemented in their own country code namespace of course.

There are so many characters that look alike, that it is trivial to register a domain name that will look the same as another one. Typically the different character would only be recognised by a native that used that character, although using it alongside normal English characters would probably throw them off as well.

Solution? Maybe an "IDN" icon in the URL bar, or a warning if an IDN uses a mixture of normal English characters with some foreign characters in an IDN.

Stop obsessing over Microsoft, please. (2, Insightful)

Anonymous Coward | more than 9 years ago | (#11596668)

The reason IE isn't vulnerable is because it doesn't natively support IDN; with the right plug-in, it too is vulnerable.

IE wasn't relevant to this article, yet you found a way to wedge it in and smear it regardless.

The browsers the exploit WAS found for weren't even mentioned by name, yet IE was.

How is this anything except nasty propaganda?

Propaganda (2, Informative)

AtariAmarok (451306) | more than 9 years ago | (#11596702)

"Propaganda" being anything someone says that you do not like. Mentioning IE is quite relevant. My first thought on reading such a thing is its status in regards to MSIE. Also, in case you have not heard before, MSIE has a reputation for being subject to such exploits in the past.

Relevant (0)

Anonymous Coward | more than 9 years ago | (#11596775)

"Relevant" being whatever your first thought on reading something is, apparently. IE had nothing to do with this exploit, yet it's in both the article and the headline. The author had to weasel some way in that IE was affected too.

Face it, you guys are obsessed with Microsoft. Get lives.

Re:Propaganda (0, Redundant)

bersl2 (689221) | more than 9 years ago | (#11596780)

Can we please get that headline changed to read "Shmoo Group Find Exploit in All IDN Implementations" or something like that? The headline really gives the wrong impression, despite there being a note at the end of the write-up.

Re:Propaganda (0)

Anonymous Coward | more than 9 years ago | (#11596790)

"Propaganda" being anything someone says that you do not like.

Nice evasion. Actually, that's the Slashdot definition of "Flamebait" or "Troll".

"Propaganda" explicitly means "the systematic propagation of a doctrine or cause or of information reflecting the views and interests of those advocating such a doctrine or cause," which is precisely how I meant it in regards to the adding of IE's name -- and no one else's -- to an article about exploits found for non-IE browsers.

Propaganda definition (2, Informative)

AtariAmarok (451306) | more than 9 years ago | (#11596807)

"the systematic propagation of a doctrine or cause or of information reflecting the views and interests of those advocating such a doctrine or cause,"

This can apply to any time anyone says anything. However, in practice, the word "propaganda" is only used when someone does not like being said. It is similar to "rhetoric" in this regard.

Your Microsoft Obsession (0)

Anonymous Coward | more than 9 years ago | (#11596862)

This can apply to any time anyone says anything.

No, it can't. You're glossing over to relativize the word so that you won't be wrong -- but it's too late, you already are. "Systematic propagation" means something specific, and is directly applicable in this instance.

Re:Stop obsessing over Microsoft, please. (1)

TheIndividual (812531) | more than 9 years ago | (#11596803)

How is this insightful?
IE is the most used browser so it is very important if it is vulnerable.
Given that IE isn't vulnerable, there may not be a critical mass of victims for phishers to try this.

Re:Stop obsessing over Microsoft, please. (0, Troll)

ScrewMaster (602015) | more than 9 years ago | (#11596837)

You work for Billy, don't you.

network.enableIDN doesn't fix things (5, Informative)

openSoar (89599) | more than 9 years ago | (#11596671)

The 'fix' they mention (setting network.enableIDN to false via about:config) only works until you restart the browser - when you reopen the browser, things are back to the same even though the setting is still false..

less dangerous than some IE exploits (0)

Anonymous Coward | more than 9 years ago | (#11596674)

This is far less dangerous than some of the recent IE exploits. IE is simply an invitation for trouble whereas Mozilla/Firefox can still be considered secure browsers.

Talk About Asking For Trouble (3, Insightful)

sp3c1alK (604261) | more than 9 years ago | (#11596868)

Comments like this worry me. We really have to be careful about letting our guard down just because Firefox is more secure. The whole point of the article is that the exploits DO exist.

On one hand, we (the /. community) love to talk about how Firefox's market share is growing quickly but then minimize potential problems. So how is this problem 'less dangerous than some IE exploits'?

Don't get me wrong, I'm all about Firefox, but we can't get lazy.

Ha Ha! (1)

gowen (141411) | more than 9 years ago | (#11596676)

Since I haven't got any half-decent Cyrillic fonts installed, the "homographs" don't look remotely the same on this machine.

Not Lynx (3, Interesting)

OECD (639690) | more than 9 years ago | (#11596678)

It doesn't seem to work with Lynx, either. The URLs are obviously different from what they're supposed to be, and they don't point to any site at all.

Lynx does try the URL, though, so it may be possible to set up another domain to catch it, but the URL would still be obviously wrong (something like p%a%y%p%a%l.com)

Spoofstick plugin (1)

Halvard (102061) | more than 9 years ago | (#11596685)

This is defeated as well. Normally, you see the real domain name in Spoofstick under Firefox on Windows. As another poster stated, you do indeed briefly see the real URL in the status bar.

konkeror less vulnerable (0)

Anonymous Coward | more than 9 years ago | (#11596687)

konkeror fails with http, but with https it warns about the certificate.

ICANN is worried too (5, Informative)

Peter_Pork (627313) | more than 9 years ago | (#11596690)

From ICANN's log [icann.org] :
There are many technical problems with this change. It essentially undermines IDNA, which is now on standards track, by adding a level of guessing to the DNS that IDNA is explicitly designed to avoid. Further, it makes it appear that IDNs are only useful in domain names for web sites (and only for sites in .com and .net), and only at the second level. VGRS has said that their plug-in will not work with most of the ccTLDs, for example.

For example, if you enter .com in Internet Explorer for Windows, where "" is the single hex octet 0xE5, you see the screen shown in the attached file called "[lynn-message-to-iab-06jan03-]e5.tif". (Sorry about the TIFF image, but it's the only reliable format for PC screen dumps.) As you can see, VGRS makes wild guesses about what the user wanted, some of which are very clearly impossible. Worse yet, they do not include all of the legal guesses that they could have made. And, just to make it completely confusing to the user, not all of the choices work.

The DNS is not supposed to be a best-guess service, yet VGRS has turned .com and .net into this just before IDNA is to be an RFC. VGRS should not be allowed, through its monopoly on the .com and .net gTLDs, to destroy the coherence of the DNS for its own short-term profit. ICANN should demand that VGRS immediately stop giving incorrect answers to any query in .com and .net, and should instead follow the IETF standards. If VGRS refuses, ICANN should re-delegate the .com and .net zones to registries that are more willing to follow the DNS standards.
See this [computerworld.com] also.

Re:ICANN is worried too (3, Informative)

gowen (141411) | more than 9 years ago | (#11596840)

Neither of those are about this concern (homographs between Cyrillic and Latin alphabets). That's a concern about Verisign using non-IDN methods to do DNS-lookups, and (like the late, unlamented SiteFinder) doing fuzzy matches in the case of unrecognised UTF domain names.

Strength from weakness (2, Funny)

XxtraLarGe (551297) | more than 9 years ago | (#11596692)

The reason IE isn't vulnerable is because it doesn't natively support IDN; with the right plug-in, it too is vulnerable.

IE is safer because it doesn't support a feature? Don't worry, I'm sure the plug-in will be installed with the next security update!

konqueror (2, Informative)

j0nb0y (107699) | more than 9 years ago | (#11596703)

I've confirmed that konqueror is vulnerable. Anyone know how to disable this in konqueror?

Character apparances (2, Insightful)

remahl (698283) | more than 9 years ago | (#11596710)

I thought this was a well-known attack -- using Unicode characters that look like latin but aren't. As more and more web sites start accepting unicode in user names without policing, I think we'll find more interesting applications for this type of attack.

This is not that different from "spoofing" using this address:

http://www.paypaI.com [paypai.com] I.e. replacing the lower-case L with an upper-case i. (except that paypai.com appens to be taken already, by an annoying site that maximizes the browser window no less.)

New Microsoft Security Mantra (2, Funny)

IvanHo (767188) | more than 9 years ago | (#11596729)

Security through inutility

Re:New Microsoft Security Mantra (1)

jellomizer (103300) | more than 9 years ago | (#11596800)

Thats been everyones elses montra for years. That is why Firefox dosen't nativly come with active-x support.

Not all non-IE browsers (2, Insightful)

P-Nuts (592605) | more than 9 years ago | (#11596743)

Links is unaffected - it goes to the real paypal site.

Rebuttals (4, Funny)

Jacco de Leeuw (4646) | more than 9 years ago | (#11596759)

  • Oh, come on! Even I saw the differences between those two a's!
  • Move your pointer to the padlock and you'll see that the certificate was signed by the UserTrust Network instead of the usual suspects (Verisign, Thawte etc.).
  • Certificates from the UserTrust Network are not to be trusted anyway. They don't check anything and you cannot trace back the owner of the domain.
  • CAs should rejects CSRs with these characters.
  • The CA should revoke those certificates. (You did enable OCSP, didn't you?)
  • It doesn't work with links/lynx.
:-)

Re:Rebuttals (0)

Anonymous Coward | more than 9 years ago | (#11596835)

1) I didn't
2) Probably to create a cheap demonstration of the flaw
3) See above, anyway what users care, Firefox didn't say "dodgy certificate vendor" did it?
4) Rubbish, what if you have a valid IDN?
5) It is still a valid certificate for the IDN
6) Yeah, but you get arrested in the UK for using Lynx, so ...

Mozilla 23 X IE 1 (1)

michelcultivo (524114) | more than 9 years ago | (#11596760)

Here in Mozilla there's a little diference on the "ay" of "paypal". It's so hard to a user see on the browser windows that I'm scared of IE not exploitable this time, maybe it's the time of IE developers celebrate one victory.

Advice (1)

Living WTF (838448) | more than 9 years ago | (#11596761)

You should never go to an important site like a homebanking webapp by clicking on links (from Emails or unknown Webpages). Just type them into the address bar by hand or use bookmarks created by yourself.

meh.. (0)

Anonymous Coward | more than 9 years ago | (#11596792)

This has been known for years as most /.ers know :/

The sad state of headline writing (1)

PenguiN42 (86863) | more than 9 years ago | (#11596801)

Don't you think that "Shmoo Group Finds Exploit in IDN domain names" would have been more informative?

Alas, "Shmoo Group Finds Exploit For non-IE Browsers" is more likely to catch people's attention.

What a world!

Not on Mozilla Mac OS9 (1)

JoeCommodore (567479) | more than 9 years ago | (#11596830)

in Mozilla for Mac OS9 i get p?ypal.com , pretty obvious to me. Not that I don't want to use something newer then Mozilla 1.21, just that MacOS is no longer supported. (OSX is though)

There is a good reason why MS doesn't want IDN (1)

McNihil (612243) | more than 9 years ago | (#11596838)

Mcrosoft this one is much harder to spot than the PayPal one. Unless using mono space font which nobody does on Win.

Non-empty subject line (1)

Cmdr TECO (579177) | more than 9 years ago | (#11596848)

Not new. If you're going to have character codes for the likes of ο and о -- slashdot won't let me include the actual characters -- you've got to realize that they both look a lot like o. (I've misused this a couple of times, not for phishing, but to hide words from search engines.)

So, are people grateful that Unicode's Unified CJK has prevented thousands of similar phishing possibilities? Guess.

Maybe this is why... (1)

simon hughes (826043) | more than 9 years ago | (#11596855)

... there isn't IDN support in IE yet.
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...