IDN Spoofing Issue

Hendikins · Post by **Hendikins** » February 7th, 2005, 7:46 pm

A Spoofing issue has been found in browsers that support IDN (International Domain Names). This includes Mozilla, Firefox, Konqueror, Safari and Opera.

Description
A malicious site author can register a domain with characters that resemble other commonly used characters. The browser will in turn show these in the URL bar, status bar, etc. <a href="http://secunia.com/">Secunia</a> has <a href="http://secunia.com/multiple_browsers_idn_spoofing_test/">a test available</a>.

Status
Unfixed, workaround available.

Workaround
This can be worked around by disabling IDN support. To do this, you will have to edit compreg.dat, which is located in your Firefox profile directory (<a href="http://www.mozilla.org/products/firefox/releases/1.0.html#profilefolder">Common profile locations</a>).

Open this file with a text editor which understands the line endings in it, such as Wordpad (or your favourite text editor on other platforms), and comment out all lines containing IDN by adding # at the start of the line. For example:
<pre>
# {4byteshex-2byteshex-2byteshex-2byteshex-6byteshex},@mozilla.org/network/idn-service;1,,nsIDNService,rel:libnecko.so</pre>

Note that you will have to repeat this edit if you install any themes or extensions, as compreg.dat gets regenerated.

More Information
<a href="https://bugzilla.mozilla.org/show_bug.cgi?id=279099">Mozilla Bug 279099</a> - DO NOT COMMENT ON THIS BUG UNLESS YOU PLAN ON FIXING IT
<a href="http://secunia.com/advisories/14163/">Secunia Advisory</a>
<a href="http://www.theregister.co.uk/2005/02/07/browsers_idn_spoofing/">Firefox spoofing flaw goes international</a> - The Register

Related Forum Threads
<a href="http://forums.mozillazine.org/viewtopic.php?t=215178">Spoofing (IDN) vulnerability temporary solution (works 100%)</a>
<a href="http://forums.mozillazine.org/viewtopic.php?t=215022">IDN browser exploit</a>
<a href="http://forums.mozillazine.org/viewtopic.php?t=215171">All Browsers But IE At Risk To New Spoofing Scheme</a>
<a href="http://forums.mozillazine.org/viewtopic.php?t=215159">Notice another security issue with firefox</a>
<a href="http://forums.mozillazine.org/viewtopic.php?t=214906">IDN Issue?</a>
<a href="http://forums.mozillazine.org/viewtopic.php?t=214914">How to set enableIDN to false?</a>
<a href="http://forums.mozillazine.org/viewtopic.php?t=214828">Serious security issue -- phishing vulnerability</a>

Please discuss the issue here, rather than creating dozens of threads about the same subject.

Note: Information gathered from various sources both on and off the forums.

Tufriast · Post by **Tufriast** » February 7th, 2005, 8:14 pm

Easy fix! And to prove it's fixed goto the secunia website and do the "test" they have setup.

The before comes up with the paypal.com spoof window. If you did the above trick right - then it will just say "cannot contact www.paypal.com".

I suppose there is a nightly build in the works to resolve this...

Guest · Post by **Guest** » February 7th, 2005, 9:30 pm

I understand there is a nightly build in the works that should make for a better and
easier workaround. This won't resolve the underlying problem however.

It should have been possible to fix this by just switching off IDS in about:config.
Unfortunately the way this preference was initialised was found to be broken and
the fix didn't persist across restarts. This has been corrected in the nightlies I
believe.

A permanent fix that doesn't just turn off or disable IDS is likely to take longer.
The protocol itself is really at fault and some rethinking may be required.

AnonEmoose · Post by **AnonEmoose** » February 7th, 2005, 10:30 pm

Hendikins wrote:<edit>

Workaround
This can be worked around by disabling IDN support. To do this, you will have to edit compreg.dat, which is located in your Firefox profile directory (<a href="http://www.mozilla.org/products/firefox/releases/1.0.html#profilefolder">Common profile locations</a>).

Open this file with a text editor which understands the line endings in it, such as Wordpad (or your favourite text editor on other platforms), and comment out all lines containing IDN by adding # at the start of the line. For example:
[size=10]<pre>
# {4byteshex-2byteshex-2byteshex-2byteshex-6byteshex},@mozilla.org/network/idn-service;1,,nsIDNService,rel:libnecko.so</pre>
<edit>

Just bringing the following point some attention....

Isn't compreg.dat re-created anytime you install a new plugin/extension installed ? and wouldn't that overwrite the old file with the commented out line (not sure if FF respects the readonly attribute either, a la cookies.txt)... I haven't tested this as I haven't had the time and as i'm not really all that concerned with the IDN issue (based on my browsing habits)...

iwod · Post by **iwod** » February 7th, 2005, 10:35 pm

Will there ever be an update to fix this? What happen to all thouse who doesn't know much about computer?

AnonEmoose · Post by **AnonEmoose** » February 7th, 2005, 10:42 pm

well i got a chance to test... and unless u make the file readonly the edit will be OVERwritten on new plugin/extension installation. also keeping readonly may prevent your newly installed extension/plugin from registering properly... SO... make sure reedit the file after extension/plugin installation....

Hendikins · Post by **Hendikins** » February 7th, 2005, 11:02 pm

Adding to sticky.

West · Post by **West** » February 8th, 2005, 1:26 am

Ok, i have a ratger strange situation, I cannot seem to find the folder and file that need to be altered in my Mac Library. Any help, there is only one file a .shlb file. Any help with this?

Post by **Vectorspace** » February 8th, 2005, 2:05 am

The default Mac profile can be in ~/Library/Application Support/Firefox/xxxxxxxx.default/
or ~/Library/Mozilla/Firefox/Profiles/xxxxxxxx.default/

Pike · Post by **Pike** » February 8th, 2005, 2:14 am

Another alternative is to grab a 1.0.1 tinderbox build where network.enableIDN works correctly (I've only confirmed it on the Windows build though):

ftp://ftp.mozilla.org/pub/mozilla.org/f ... ox-builds/

Windows = sweetlou-aviary1.0.1
Linux = madcow-aviary1.0.1
MacOS = imola-aviary1.0.1

n00tz · Post by **n00tz** » February 8th, 2005, 2:39 am

there's a simple fix for those that wish to take care of it before an official patch/fix comes out.

go to the about:config page and disable network.enableIDN (set to FALSE).

I went back to the secunia page and it checked out.

Guest · Post by **Guest** » February 8th, 2005, 3:01 am

I only found 2 lines that contain IDN in them with the "Find" is this correct also, I use default theme with 4 extensions. Thank You in advance.

Captn · Post by **Captn** » February 8th, 2005, 3:03 am

Anonymous wrote:I only found 2 lines that contain IDN in them with the "Find" is this correct also, I use default theme with 4 extensions. Thank You in advance.

Sorry this post is mine I was not logged in.

Nalle · Post by **Nalle** » February 8th, 2005, 3:05 am

@n00tz:
No, it won't!
This is a bug i FireFox that makes your toggeling dissapear again if you close all instances of FireFox and start it again.

FireFox is now just as bad as when you first installed it

</nalle>

G'Dad · Post by **G'Dad** » February 8th, 2005, 4:15 am

In the FWIW catagory, there's this from the AP this morning:
http://apnews1.iwon.com//article/200502 ... UIRO0.html

The last part of which states:
""But Johannes Ullrich, chief technology office with the SANS Institute's Internet Storm Center, said scammers may focus on exploiting other flaws because IE remains dominant.
"Right now the one thing that will likely prevent them from using it is that Internet Explorer users will not be able to see the page at all," he said.""

So hopefully a fix will be in before too long, before "they" catch on.

IDN Spoofing Issue

IDN Spoofing Issue

Re: IDN Spoofing Issue

Quick-fix