Serious security issue -- phishing vulnerability
- duvie57
- Posts: 18
- Joined: July 13th, 2004, 4:01 am
Serious security issue -- phishing vulnerability
A demo at an annual hacker con showed httpS://www.paypal.com/ being spoofed, certificate and all. That's right, httpS.
http://www.shmoo.com/idn/ <- the POC demo
http://www.shmoo.com/idn/homograph.txt <- the explanation
One workaround for Firefox might have been to go to network.enableIDN in about:config and set it to false. At least for me, however, disabling IDN does not appear to help.
The other, more reliable workaround is to read every certificate before trusting a site. Like we're all gonna do THAT...?
For once, IE is not vulnerable.
http://www.shmoo.com/idn/ <- the POC demo
http://www.shmoo.com/idn/homograph.txt <- the explanation
One workaround for Firefox might have been to go to network.enableIDN in about:config and set it to false. At least for me, however, disabling IDN does not appear to help.
The other, more reliable workaround is to read every certificate before trusting a site. Like we're all gonna do THAT...?
For once, IE is not vulnerable.
-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
Click <a href="http://www.dfconsultants.com/">here</a> before you call me a "dumb newbie," OK?
Click <a href="http://www.dfconsultants.com/">here</a> before you call me a "dumb newbie," OK?
-
- Posts: 27
- Joined: July 3rd, 2004, 6:50 am
- Location: England
- Contact:
I've also tried the work around (about:config, setting enableIDN to false). This only works while Firefox is running. Once it restarts IDN works even though the setting is still false. You have to enable and re disable each time you run Firefox. It looks like a bug in Firefox's initialisation.
I did notice that copying and pasting the URL into Wordperfect 9 displayed the second letter 'a' (in pal) as a '?'. Perhaps the option to display the URL in UTF-8 would help.
I did notice that copying and pasting the URL into Wordperfect 9 displayed the second letter 'a' (in pal) as a '?'. Perhaps the option to display the URL in UTF-8 would help.
-
- Posts: 3483
- Joined: November 4th, 2002, 10:47 pm
- Location: Ann Arbor, Michigan
- Contact:
-
- Posts: 3483
- Joined: November 4th, 2002, 10:47 pm
- Location: Ann Arbor, Michigan
- Contact:
-
- Posts: 4
- Joined: January 26th, 2004, 1:05 pm
- Contact:
kyhwana wrote:The work around doesn't seem to work, especially if you set it to false, then restart firefox, in about:config it's still set to false, but it's auctally true, so the spoofing still works!
They need to fix this ASAP and release 1.0.1.
WFM. I changed networkIDN to false, closed firefox, reopened, tried http://www.schmoo.com/idn/ again and was given an alert that said paypal.com could not be found.
I'm using: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b) Gecko/20050122 Firefox/1.0+
-
- Posts: 478
- Joined: July 21st, 2003, 4:45 am
- Location: Nottingham, UK
- Contact:
-
- Posts: 28
- Joined: January 29th, 2004, 2:37 pm
Using Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.7.5) Gecko/20041112 Firefox/1.0 - fix fails after closing and restarting browser. The displayed URL does not match the registered domain as shown in the certificate. The registered domain shown is www.xn-pypal-4ve.com.
See http://www.dslreports.com/forum/remark,12603456 for another discussion.
See http://www.dslreports.com/forum/remark,12603456 for another discussion.
Cheers,
EG
EG
- venus_de_mpls
- Posts: 1059
- Joined: December 23rd, 2004, 3:43 pm
- Location: Minneapolis, MN, USA, Earth
schapel wrote:The problem with setting network.enableIDN to false been reported as <a href="https://bugzilla.mozilla.org/show_bug.cgi?id=281377">bug 281377</a>.
That bug shows as resolved as it is a duplicate of https://bugzilla.mozilla.org/show_bug.cgi?id=281365
-
- Posts: 27
- Joined: July 3rd, 2004, 6:50 am
- Location: England
- Contact:
venus_de_mpls wrote:schapel wrote:The problem with setting network.enableIDN to false been reported as <a href="https://bugzilla.mozilla.org/show_bug.cgi?id=281377">bug 281377</a>.
That bug shows as resolved as it is a duplicate of https://bugzilla.mozilla.org/show_bug.cgi?id=281365
It is fixed in recent nightly builds, I'm using one dated 06/02/2005, and IDN stays disabled when it restarts. I can't vouch for stability in other areas though. The previous version I tried wouldn't copy to clipboard for example, though this one does.
I'm still using 1.0 as my primary browser. Unless you are in the habit of responding to Phishing e-mails I don't see it as too much of an issue. I always use my own bookmarks when I go to important sites.
-
- Posts: 28
- Joined: January 29th, 2004, 2:37 pm
Nightly build information
Thanks for the information on nightly build as the fix -
I agree, since the exploit is a phish tool and most here are more observant than the casual user, it's not much of an exposure unless we have susceptible folks using our systems..
On the nightly build, since there may be other bugs in the builds, I'll probably wait for the next stable release. It would be nice to have a build with just the IDN fix, but I suppose that's something not available right now. I imagine as Firefox progresses there'll be patches or fix updates when things like this pop up.
I agree, since the exploit is a phish tool and most here are more observant than the casual user, it's not much of an exposure unless we have susceptible folks using our systems..
On the nightly build, since there may be other bugs in the builds, I'll probably wait for the next stable release. It would be nice to have a build with just the IDN fix, but I suppose that's something not available right now. I imagine as Firefox progresses there'll be patches or fix updates when things like this pop up.
Cheers,
EG
EG
-
- Posts: 49
- Joined: June 6th, 2003, 4:37 pm
- Location: Tucson, Arizona
- venus_de_mpls
- Posts: 1059
- Joined: December 23rd, 2004, 3:43 pm
- Location: Minneapolis, MN, USA, Earth