Serious security issue -- phishing vulnerability

[duvie57]

A demo at an annual hacker con showed httpS://www.paypal.com/ being spoofed, certificate and all. That's right, httpS.

http://www.shmoo.com/idn/ <- the POC demo
http://www.shmoo.com/idn/homograph.txt <- the explanation

One workaround for Firefox might have been to go to network.enableIDN in about:config and set it to false. At least for me, however, disabling IDN does not appear to help.

The other, more reliable workaround is to read every certificate before trusting a site. Like we're all gonna do THAT...?

For once, IE is not vulnerable.

[kyhwana]

The work around doesn't seem to work, especially if you set it to false, then restart firefox, in about:config it's still set to false, but it's auctally true, so the spoofing still works!
They need to fix this ASAP and release 1.0.1.

[derekfrost]

I've also tried the work around (about:config, setting enableIDN to false). This only works while Firefox is running. Once it restarts IDN works even though the setting is still false. You have to enable and re disable each time you run Firefox. It looks like a bug in Firefox's initialisation.

I did notice that copying and pasting the URL into Wordperfect 9 displayed the second letter 'a' (in pal) as a '?'. Perhaps the option to display the URL in UTF-8 would help.

[mnkyboy]

First thing, WTF?

Why doesnt firefox fix this with a hotfix? This seems like a big red flag for Firefox...

[schapel]

The problem with setting network.enableIDN to false been reported as <a href="https://bugzilla.mozilla.org/show_bug.cgi?id=281377">bug 281377</a>.

[mnkyboy]

The problem with setting network.enableIDN to false been reported as <a href="https://bugzilla.mozilla.org/show_bug.cgi?id=281377">bug 281377</a>.

When do they plan on fixing this?

[schapel]

Uh, well, the bug has to be <i>confirmed</i> first!

[aeve]

The work around doesn't seem to work, especially if you set it to false, then restart firefox, in about:config it's still set to false, but it's auctally true, so the spoofing still works!
They need to fix this ASAP and release 1.0.1.

WFM. I changed networkIDN to false, closed firefox, reopened, tried http://www.schmoo.com/idn/ again and was given an alert that said paypal.com could not be found.

I'm using: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b) Gecko/20050122 Firefox/1.0+

[Kylotan]

To be fair, to say that this is a spoof of 'www.paypal.com' is not accurate. The browser is only doing what it's told and it goes to the correct site.

[egeezer]

Using Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.7.5) Gecko/20041112 Firefox/1.0 - fix fails after closing and restarting browser. The displayed URL does not match the registered domain as shown in the certificate. The registered domain shown is www.xn-pypal-4ve.com.

See http://www.dslreports.com/forum/remark,12603456 for another discussion.

[venus_de_mpls]

The problem with setting network.enableIDN to false been reported as <a href="https://bugzilla.mozilla.org/show_bug.cgi?id=281377">bug 281377</a>.

That bug shows as resolved as it is a duplicate of https://bugzilla.mozilla.org/show_bug.cgi?id=281365

[derekfrost]

The problem with setting network.enableIDN to false been reported as <a href="https://bugzilla.mozilla.org/show_bug.cgi?id=281377">bug 281377</a>.

That bug shows as resolved as it is a duplicate of https://bugzilla.mozilla.org/show_bug.cgi?id=281365

It is fixed in recent nightly builds, I'm using one dated 06/02/2005, and IDN stays disabled when it restarts. I can't vouch for stability in other areas though. The previous version I tried wouldn't copy to clipboard for example, though this one does.

I'm still using 1.0 as my primary browser. Unless you are in the habit of responding to Phishing e-mails I don't see it as too much of an issue. I always use my own bookmarks when I go to important sites.

[egeezer]

Thanks for the information on nightly build as the fix -

I agree, since the exploit is a phish tool and most here are more observant than the casual user, it's not much of an exposure unless we have susceptible folks using our systems..

On the nightly build, since there may be other bugs in the builds, I'll probably wait for the next stable release. It would be nice to have a build with just the IDN fix, but I suppose that's something not available right now. I imagine as Firefox progresses there'll be patches or fix updates when things like this pop up.

[ZenDude]

One possible fix is <a href="http://www.corestreet.com/spoofstick/">this</a> extension. Not the perfect solution but it is good until this issue is fixed.

[venus_de_mpls]

Spoofstick actually mimics instead of resolves the problem.