X

Safari (and Mozilla, Firefox) domain name spoofing vulnerability

Safari (and Mozilla, Firefox) domain name spoofing vulnerability

CNET staff
See full bio
CNET staff
2 min read

MacFixIt reader Gregory F. Welch points to a new Safari (and Mozilla) spoofing vulnerability, which could allow malicious parties to obtain sensitive information by masquerading as legitimate, recognized Web sites.

The proof-of-concept for this flaw is located at:

http://www.shmoo.com/idn/

As you can see, the browser URL indicator displays: "http://wwww.paypal.com," though the site's content does not reflect that URL. This occurs because of an interesting set of circumstances afforded by browser support for Unicode/UTF8 domain name resolution.

As noted by the flaw's discoverers:

"Clicking on any of the two links in the above webpage using anything but IE should result in a spoofed paypal.com webpage.

"The links are directed at "http://www.p?ypal.com/", which the browsers punycode handlers render as www.xn--pypal-4ve.com.

"This is one example URL - - there are now many ways to display any domain name on a browser, as there are a huge number of codepages/scripts which look very similar to latin charsets. [...]

"Vulnerable browsers include (but are not limited to):

  • Most mozilla-based browsers (Firefox 1.0, Camino .8.5, Mozilla 1.6, etc)
  • Safari 1.2.5
  • Opera 7.54
  • Omniweb 5

"There are a few methods to detect that you are under a spoof attack. One easy method is to cut and paste the url you are accessing into notepad or some other tool (under OSX, paste into a terminal window) which will allow you to view what character set/pagecode the string is in. [...]

"You can disable IDN support in mozilla products by setting 'network.enableIDN' to false. There is no workaround known for Opera or Safari."

UPDATE: MacFixIt reader Hao Li lets us know that he has created a Safari plug-in to fix this problem.

Hao says "This free plugin works only with the latest Safari version 1.2.4 (v125.12). I think Apple will soon release a security update, but in the meantime Saft Lite is a good solution."

The plug-in can be downloaded here.

Feedback? Late-breakers@macfixit.com.

Resources

  • http://www.shmoo.com/idn/
  • here
  • Late-breakers@macfixit.com
  • More from Late-Breakers

    • Computing Guides

    Laptops
    Desktops & Monitors
    Computer Accessories
    Photography
    Tablets & E-Readers
    3D Printers