Safari (and Mozilla, Firefox) domain name spoofing vulnerability
Safari (and Mozilla, Firefox) domain name spoofing vulnerability
MacFixIt reader Gregory F. Welch points to a new Safari (and Mozilla) spoofing vulnerability, which could allow malicious parties to obtain sensitive information by masquerading as legitimate, recognized Web sites.
The proof-of-concept for this flaw is located at:
As you can see, the browser URL indicator displays: "http://wwww.paypal.com," though the site's content does not reflect that URL. This occurs because of an interesting set of circumstances afforded by browser support for Unicode/UTF8 domain name resolution.
As noted by the flaw's discoverers:
"Clicking on any of the two links in the above webpage using anything but IE should result in a spoofed paypal.com webpage.
"The links are directed at "http://www.p?ypal.com/", which the browsers punycode handlers render as www.xn--pypal-4ve.com.
"This is one example URL - - there are now many ways to display any domain name on a browser, as there are a huge number of codepages/scripts which look very similar to latin charsets. [...]
"Vulnerable browsers include (but are not limited to):
- Most mozilla-based browsers (Firefox 1.0, Camino .8.5, Mozilla 1.6, etc)
- Safari 1.2.5
- Opera 7.54
- Omniweb 5
"There are a few methods to detect that you are under a spoof attack. One easy method is to cut and paste the url you are accessing into notepad or some other tool (under OSX, paste into a terminal window) which will allow you to view what character set/pagecode the string is in. [...]
"You can disable IDN support in mozilla products by setting 'network.enableIDN' to false. There is no workaround known for Opera or Safari."
UPDATE: MacFixIt reader Hao Li lets us know that he has created a Safari plug-in to fix this problem.
Hao says "This free plugin works only with the latest Safari version 1.2.4 (v125.12). I think Apple will soon release a security update, but in the meantime Saft Lite is a good solution."
The plug-in can be downloaded here.
Feedback? Late-breakers@macfixit.com.
Resources