IDN Spoofing Issue
-
- Posts: 26
- Joined: December 31st, 1969, 5:00 pm
- Location: On a train
IDN Spoofing Issue
A Spoofing issue has been found in browsers that support IDN (International Domain Names). This includes Mozilla, Firefox, Konqueror, Safari and Opera.
<strong>Description</strong>
A malicious site author can register a domain with characters that resemble other commonly used characters. The browser will in turn show these in the URL bar, status bar, etc. <a href="http://secunia.com/">Secunia</a> has <a href="http://secunia.com/multiple_browsers_idn_spoofing_test/">a test available</a>.
<strong>Status</strong>
Unfixed, workaround available.
<strong>Workaround</strong>
This can be worked around by disabling IDN support. To do this, you will have to edit compreg.dat, which is located in your Firefox profile directory (<a href="http://www.mozilla.org/products/firefox/releases/1.0.html#profilefolder">Common profile locations</a>).
Open this file with a text editor which understands the line endings in it, such as Wordpad (or your favourite text editor on other platforms), and comment out all lines containing IDN by adding # at the start of the line. For example:
<pre>
# {4byteshex-2byteshex-2byteshex-2byteshex-6byteshex},@mozilla.org/network/idn-service;1,,nsIDNService,rel:libnecko.so</pre>
Note that you will have to repeat this edit if you install any themes or extensions, as compreg.dat gets regenerated.
<strong>More Information</strong>
<a href="https://bugzilla.mozilla.org/show_bug.cgi?id=279099">Mozilla Bug 279099</a> - <strong>DO NOT COMMENT ON THIS BUG UNLESS YOU PLAN ON FIXING IT</strong>
<a href="http://secunia.com/advisories/14163/">Secunia Advisory</a>
<a href="http://www.theregister.co.uk/2005/02/07/browsers_idn_spoofing/">Firefox spoofing flaw goes international</a> - The Register
<strong>Related Forum Threads</strong>
<a href="http://forums.mozillazine.org/viewtopic.php?t=215178">Spoofing (IDN) vulnerability temporary solution (works 100%)</a>
<a href="http://forums.mozillazine.org/viewtopic.php?t=215022">IDN browser exploit</a>
<a href="http://forums.mozillazine.org/viewtopic.php?t=215171">All Browsers But IE At Risk To New Spoofing Scheme</a>
<a href="http://forums.mozillazine.org/viewtopic.php?t=215159">Notice another security issue with firefox</a>
<a href="http://forums.mozillazine.org/viewtopic.php?t=214906">IDN Issue?</a>
<a href="http://forums.mozillazine.org/viewtopic.php?t=214914">How to set enableIDN to false?</a>
<a href="http://forums.mozillazine.org/viewtopic.php?t=214828">Serious security issue -- phishing vulnerability</a>
Please discuss the issue here, rather than creating dozens of threads about the same subject.
Note: Information gathered from various sources both on and off the forums.
<strong>Description</strong>
A malicious site author can register a domain with characters that resemble other commonly used characters. The browser will in turn show these in the URL bar, status bar, etc. <a href="http://secunia.com/">Secunia</a> has <a href="http://secunia.com/multiple_browsers_idn_spoofing_test/">a test available</a>.
<strong>Status</strong>
Unfixed, workaround available.
<strong>Workaround</strong>
This can be worked around by disabling IDN support. To do this, you will have to edit compreg.dat, which is located in your Firefox profile directory (<a href="http://www.mozilla.org/products/firefox/releases/1.0.html#profilefolder">Common profile locations</a>).
Open this file with a text editor which understands the line endings in it, such as Wordpad (or your favourite text editor on other platforms), and comment out all lines containing IDN by adding # at the start of the line. For example:
<pre>
# {4byteshex-2byteshex-2byteshex-2byteshex-6byteshex},@mozilla.org/network/idn-service;1,,nsIDNService,rel:libnecko.so</pre>
Note that you will have to repeat this edit if you install any themes or extensions, as compreg.dat gets regenerated.
<strong>More Information</strong>
<a href="https://bugzilla.mozilla.org/show_bug.cgi?id=279099">Mozilla Bug 279099</a> - <strong>DO NOT COMMENT ON THIS BUG UNLESS YOU PLAN ON FIXING IT</strong>
<a href="http://secunia.com/advisories/14163/">Secunia Advisory</a>
<a href="http://www.theregister.co.uk/2005/02/07/browsers_idn_spoofing/">Firefox spoofing flaw goes international</a> - The Register
<strong>Related Forum Threads</strong>
<a href="http://forums.mozillazine.org/viewtopic.php?t=215178">Spoofing (IDN) vulnerability temporary solution (works 100%)</a>
<a href="http://forums.mozillazine.org/viewtopic.php?t=215022">IDN browser exploit</a>
<a href="http://forums.mozillazine.org/viewtopic.php?t=215171">All Browsers But IE At Risk To New Spoofing Scheme</a>
<a href="http://forums.mozillazine.org/viewtopic.php?t=215159">Notice another security issue with firefox</a>
<a href="http://forums.mozillazine.org/viewtopic.php?t=214906">IDN Issue?</a>
<a href="http://forums.mozillazine.org/viewtopic.php?t=214914">How to set enableIDN to false?</a>
<a href="http://forums.mozillazine.org/viewtopic.php?t=214828">Serious security issue -- phishing vulnerability</a>
Please discuss the issue here, rather than creating dozens of threads about the same subject.
Note: Information gathered from various sources both on and off the forums.
Last edited by Hendikins on February 7th, 2005, 11:02 pm, edited 5 times in total.
-
- Posts: 5
- Joined: November 3rd, 2004, 12:29 pm
- Location: Mckinney, TX
- Contact:
Easy fix! And to prove it's fixed goto the secunia website and do the "test" they have setup.
The before comes up with the paypal.com spoof window. If you did the above trick right - then it will just say "cannot contact www.paypal.com".
I suppose there is a nightly build in the works to resolve this...
The before comes up with the paypal.com spoof window. If you did the above trick right - then it will just say "cannot contact www.paypal.com".
I suppose there is a nightly build in the works to resolve this...
Don't sing it, just bring it.
-
- Guest
I understand there is a nightly build in the works that should make for a better and
easier workaround. This won't resolve the underlying problem however.
It should have been possible to fix this by just switching off IDS in about:config.
Unfortunately the way this preference was initialised was found to be broken and
the fix didn't persist across restarts. This has been corrected in the nightlies I
believe.
A permanent fix that doesn't just turn off or disable IDS is likely to take longer.
The protocol itself is really at fault and some rethinking may be required.
easier workaround. This won't resolve the underlying problem however.
It should have been possible to fix this by just switching off IDS in about:config.
Unfortunately the way this preference was initialised was found to be broken and
the fix didn't persist across restarts. This has been corrected in the nightlies I
believe.
A permanent fix that doesn't just turn off or disable IDS is likely to take longer.
The protocol itself is really at fault and some rethinking may be required.
-
- Posts: 2031
- Joined: February 6th, 2004, 11:59 am
Re: IDN Spoofing Issue
Hendikins wrote:<edit>
<strong>Workaround</strong>
This can be worked around by disabling IDN support. To do this, you will have to edit compreg.dat, which is located in your Firefox profile directory (<a href="http://www.mozilla.org/products/firefox/releases/1.0.html#profilefolder">Common profile locations</a>).
Open this file with a text editor which understands the line endings in it, such as Wordpad (or your favourite text editor on other platforms), and comment out all lines containing IDN by adding # at the start of the line. For example:
[size=10]<pre>
# {4byteshex-2byteshex-2byteshex-2byteshex-6byteshex},@mozilla.org/network/idn-service;1,,nsIDNService,rel:libnecko.so</pre>
<edit>
Just bringing the following point some attention....
Isn't compreg.dat re-created anytime you install a new plugin/extension installed ? and wouldn't that overwrite the old file with the commented out line (not sure if FF respects the readonly attribute either, a la cookies.txt)... I haven't tested this as I haven't had the time and as i'm not really all that concerned with the IDN issue (based on my browsing habits)...
-
- Posts: 2031
- Joined: February 6th, 2004, 11:59 am
well i got a chance to test... and unless u make the file readonly the edit will be OVERwritten on new plugin/extension installation. also keeping readonly may prevent your newly installed extension/plugin from registering properly... SO... make sure reedit the file after extension/plugin installation....
- West
- Posts: 12
- Joined: February 3rd, 2005, 1:44 am
- Location: Amersfoort, Netherlands
- Contact:
- Vectorspace
- Moderator
- Posts: 14455
- Joined: November 27th, 2003, 4:50 am
- Location: Warwickshire, UK
- Contact:
The default Mac profile can be in ~/Library/Application Support/Firefox/xxxxxxxx.default/
or ~/Library/Mozilla/Firefox/Profiles/xxxxxxxx.default/
or ~/Library/Mozilla/Firefox/Profiles/xxxxxxxx.default/
"All things being equal, the simplest answer is usually the correct one" - Occam's Razor
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:5.0) Gecko/20100101 Firefox/5.0
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:5.0) Gecko/20110624 Thunderbird/5.0
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:5.0) Gecko/20100101 Firefox/5.0
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:5.0) Gecko/20110624 Thunderbird/5.0
- Pike
- Posts: 2293
- Joined: August 10th, 2003, 12:12 pm
- Location: UK
- Contact:
Another alternative is to grab a 1.0.1 tinderbox build where network.enableIDN works correctly (I've only confirmed it on the Windows build though):
ftp://ftp.mozilla.org/pub/mozilla.org/f ... ox-builds/
Windows = sweetlou-aviary1.0.1
Linux = madcow-aviary1.0.1
MacOS = imola-aviary1.0.1
ftp://ftp.mozilla.org/pub/mozilla.org/f ... ox-builds/
Windows = sweetlou-aviary1.0.1
Linux = madcow-aviary1.0.1
MacOS = imola-aviary1.0.1
-
- Guest
-
- Guest
-
- Guest
In the FWIW catagory, there's this from the AP this morning:
http://apnews1.iwon.com//article/200502 ... UIRO0.html
The last part of which states:
""But Johannes Ullrich, chief technology office with the SANS Institute's Internet Storm Center, said scammers may focus on exploiting other flaws because IE remains dominant.
"Right now the one thing that will likely prevent them from using it is that Internet Explorer users will not be able to see the page at all," he said.""
So hopefully a fix will be in before too long, before "they" catch on.
http://apnews1.iwon.com//article/200502 ... UIRO0.html
The last part of which states:
""But Johannes Ullrich, chief technology office with the SANS Institute's Internet Storm Center, said scammers may focus on exploiting other flaws because IE remains dominant.
"Right now the one thing that will likely prevent them from using it is that Internet Explorer users will not be able to see the page at all," he said.""
So hopefully a fix will be in before too long, before "they" catch on.