Phishing flaw a danger to alternative browsers

A security weakness in a standard for handling special character sets in domain names could let an attacker spoof Web sites on non-Microsoft browsers, a researcher has warned.

The problem arises because certain browsers support a standardized way of representing domain names in the letters or characters of any language, security expert Eric Johanson said at the ShmooCon hacker convention this weekend. Called Internationalized Domain Names, the standard allows companies to register domain names that appear to be the same in different languages.

Related feature
Have you been phished?

Check here to see whether an e-mail that appears to be from your bank or an online merchant is actually an attempt to defraud you.

That encoding scheme could enable an attacker to create a fake Web site for a phishing scam. A spoofed link would seem to be a legitimate URL in the address bar of affected browsers--Opera, Apple Computer's Safari, and the Mozilla and Firefox browsers from the Mozilla Foundation. But instead of taking the victim to the trusted site, the link would lead to a phony Web site with a domain rendered as the same address under the IDN process.

The Mozilla Foundation is looking for a long-term solution to the issue, Chris Hofmann, director of engineering at the company, said in a statement.

"With the increase in phishing attacks, there is a growing concern that exploits could take advantage of this feature to trick users into visiting rogue sites," Hofmann stated. "Mozilla is looking at options for fixing or disabling this feature and should have more information available very soon."

Phishing attacks, which try to fool consumers into handing over sensitive information by creating legitimate-looking Web sites and e-mail messages, have become a central security concern recently. While vulnerabilities in Microsoft's Internet Explorer have been the focus of much of the concern, other browsers also have had their fair share of flaws.

The security weakness in the IDN scheme comes as registrars push for support for expressing domain names in different languages and scripts.

"There are now many ways to display any domain name on a browser, as there are a huge number of (character sets) which look very similar to Latin (characters)," Johanson said in an advisory.

The advisory demonstrates the attack using the domain for PayPal, but using an alternate Unicode character for the first "a." That gives an address that looks like "http://www.p?ypal.com," but with a smaller "a."

Details of the flaw were shown at ShmooCon, a hacking and computer security convention, in Washington D.C., last weekend. The Shmoo Group, a loose association of security professionals that runs the convention, notified the affected browser makers in mid-January. Johanson is a member of the Shmoo Group.

Apple, VeriSign and Opera Software could not immediately be reached for comment.

Microsoft has not implemented support for IDN yet, so its IE browser is not vulnerable to the flaw.

Browser security is gaining attention among software makers. In December, Internet security company Netcraft released an IE plug-in that it said could help people avoid becoming victims of online fraud. In addition, Netscape announced last month that it is getting ready to release a browser designed to resist phishing attacks.

[David Arbogast]

dangit....

How did that one flaw get into all those quality web browsers..??!?

Oh yeah... open-source code sharing.

;)

[dhk]

Try reading the story again

The problem is not in the browsers but in the fact that they meet current standards for handling internationalized domain names that IE doesn't yet meet (because IE is about 10 years behind the pack in terms of its "features" and doesn't meet a lot of standards for operating in cyberspace).

But don't worry IE has so many flaws that allow phishers to do their thing, as well as hackers and you name it, one more problem with it would be irrelevant (although we can expect considerably more than one more problem with it in the future, if its past is any indication).

But, never fear, open source developers will take care of the problem as they always do. And IE will continue to limp along as it always has.

[Bill Dautrive]

re:dangit

Why do you insist on proclaiming your stupidity to the world?

Everyone here knows you do nothing but blindly support MS, and quite often use language identical to gates and balmer.

Try educating yourself and stop allowing your opinions to be fed to you.

[cheddu]

There is a workaround for Mozilla/Firefox

Before everyone starts freaking out...

This hit Slashdot http://slashdot.org this morning and has been discussed there. Proof of concept for this problem can be found at http://www.shmoo.com/idn

There is a workaround that is effective for Mozilla and Firefox:

Open Firefox or Mozilla.

In the address bar type:
about:config

Look for the line that says:
network.enableIDN

The value needs to be changed to False. Right-click on that line and select Toggle

The change is immediate and it works. Now, I expect that the folks at Mozilla http://www.mozilla.org will have the problem fixed in a couple of days. The open source community doesn't tend to take flaws lightly. We're not talking Microsoft and their months to patch flaws.

[qazwiz]

Long term goal... Auto detect and warn

While turning off the extended letter set is a good short term fix in the future we need automatic detection and user selectable warnings

Since it is a standard, there is a large but finite list of characters, most certianly coded according to language set, that can manually be examined and put into lists of simular letters.

Then using the resident language as a starting point, a computer could generate resident equivelants and even "ping"(ask the web if it exists) the possible variants to see if they are valid. And allow the user to choose multiple (dot) endings to check with warnings for strange (dot) endings.

These suggestions could take a few seconds depending on number of odd characters and how many (dot) endings are being checked so it should have a user option to turn it off if so desired. Other user options should include desiginating additional letter sets as safe (ignore if they appear) or even designating them as active(include in base letterset when generating possible alternate web sites) these both being useful to bi-lingual webbies.
Some might even like to automaticly go to a site and check in the background for the variants so 20 seconds later the warning might come up(not for quick clickers)

The warnings should be user configurable also.
Visual, audio or maybe even one of those nasty announce boxes that stops everything until you click it (not for me they distract my line of thinking)
What they do and how long they do it should be user adjustable.

As a parting thought: how long will it be before we hear Microsoft chirping how not following the mass agreed upon standard is a security plus?

rule of thumb(for the USA): if its got a funny line above it... it's foreign.

This workaround doesn't really work

If you notice the next time you open firefox and go to the links it will still bring you there and if you check the value it will still say false so this workaround would have to be done every time you open firefox....

[David Arbogast]

simple??

Sounds about as simple as a Windows registry tweak. Only, its not a permanent fix. Do you suppose we'll get a PATCH to fix this? Or will we have to wait and install a whole new version of the browser?

[dhk]

How many people are actually having this problem?

I'm using Mozilla 1.5 (Debian) and it's already configured to default to "network.enableIDN false." It did not spoof the paypal address in the demo. I very clearly got the real address of the spoofing site showing in both the locator and status bars.

How was the test for this advisory done?

Are people actually having a problem with the configuration of their browsers and this issue?

FWIW

The very comment "IE invulnerable to security weakness" should raise eyebrows. So I visited the demo site.

Using IE, I get "meowww". I guess that's a confirmation it's vulnerable.

Guess what? Using Firefox, I also get "meowwww".

The bigger question is, why would anyone respond to an e-mail from PayPal concerning their account and giving out information when the company has bent over backwards to make sure people know PayPal doesn't do that!

For me, Firefox is faster, has a couple of errors to be sure but it's in version 1 versus IE which is way up there and needs to be updated monthly to keep it secure. The bigger question is why some sites simply insist on using IE-specific/IE-only pages (ie launch.yahoo.com). I like Firefox better for a dozen reasons, but security was my least concern and posting an article with a demo link that seems to invalidate the article is pretty irresponsible.

-doug

[Bill Dautrive]

re

<The bigger question is, why would anyone respond to an e-mail from PayPal concerning their account and giving out information when the company has bent over backwards to make sure people know PayPal doesn't do that!>

Because people are stupid. Luckily(or unluckily, depending on your view), most stupid people still use IE.

[powerclam]

Surprise! It's worse on Windows!

Surprise!
On my linux-box, running Moz 1.73a, the spoofed url looks just a bit funny on the status-bar (weird extra space around the "a.")
With the same Moz-version running on WinXP, the statusbar-display looks completely normal, giving even a paranoid surfer no clue.

Ta! I'm shocked. Shocked!

[201293546946733175101343322673]

Oh Well

Now what, Open Source people now say it is MS's fault when FireFox/Morzilla has flaws? They just don't want to admit they are wrong, or admit their products have bugs, are they? :)

[dwrixon]

IDN / Phishing Argument turned on its head.

One of the biggest arguments out there against IDN is the Phishing argument. This has now largely been negated by ICANN banning registeration of mixed character scripts that are likely to cause confusion.

However, another side of the story has been put. It is clear that many words in local characters have multiple representations when transliterated, often with more than one system, into Latin Characters. Each of these ambiguities offers an opportunity for a Phisher to conduct his Scam. Unlike the problem of eliminating the use of rogue cyrillics in Latin scripts, I see no easy solution to this problem, as each of the transliterations are in a single script and therefore legitimate. Indeed, each could have legitimate usuage, but surely often won't.

The argument therefore develops into the imperative of introducing IDN to prevent Phishing Scams in Asia. Without IDN, it is likely that the confusion over how to transliterate will result in a Pandemic of Scamming, the scale of which will be unprecidented! I feel that we should no longer be silent on the issue of Phishing as IDN undoubtedly will hold the moral high ground on this issue.