1. Advertising
    y u no do it?

    Advertising (learn more)

    Advertise virtually anything here, with CPM banner ads, CPM email ads and CPC contextual links. You can target relevant areas of the site and show ads based on geographical location of the user if you wish.

    Starts at just $1 per CPM or $0.10 per CPC.

New security vulnerability in all browsers, except IE

Discussion in 'Security' started by J.D., Feb 7, 2005.

  1. #1
    Here's a little test some guys put together:

    http://www.shmoo.com/idn/
    SEMrush
    If you click one of the links on this page, you will get a URL in your browser that says www.paypal.com, but it will be their site. You have to hit it with any browser but IE to see the effect.

    J.D.
     
    J.D., Feb 7, 2005 IP
    SEMrush
  2. david_sakh

    david_sakh Peon

    Messages:
    1,225
    Likes Received:
    29
    Best Answers:
    0
    Trophy Points:
    0
    #2
    this could get really gay really fast. Let's hope Mozilla patches soon. :eek:
     
    david_sakh, Feb 7, 2005 IP
  3. wingdude

    wingdude Peon

    Messages:
    210
    Likes Received:
    2
    Best Answers:
    0
    Trophy Points:
    0
    #3
    That's really scary, luckily I haven't come across a site that used this technique yet but I hope it will be fixed immediately otherwise IE might actually have an advantage (for once)!
     
    wingdude, Feb 7, 2005 IP
  4. barrow

    barrow Peon

    Messages:
    135
    Likes Received:
    2
    Best Answers:
    0
    Trophy Points:
    0
    #4
    I read this on boinboing this morning. I am actually one of the only people around that uses IE and will stick behind it. Glad to see my browser of choice is getting good publicity for once.
     
    barrow, Feb 7, 2005 IP
  5. mopacfan

    mopacfan Peon

    Messages:
    3,273
    Likes Received:
    164
    Best Answers:
    0
    Trophy Points:
    0
    #5
    One time out of about one million, I don't think those are very good stats :eek:
     
    mopacfan, Feb 7, 2005 IP
  6. mopacfan

    mopacfan Peon

    Messages:
    3,273
    Likes Received:
    164
    Best Answers:
    0
    Trophy Points:
    0
    #6
    btw, that's really no different than the spoofing one can do by putting the @ in a url to spoof IE.
     
    mopacfan, Feb 7, 2005 IP
  7. J.D.

    J.D. Peon

    Messages:
    1,198
    Likes Received:
    64
    Best Answers:
    0
    Trophy Points:
    0
    #7
    Not true. The '@' character is used to separate user name/password from the domain name in the server portion of the URL. This particular problem is caused by the fact the the first 'a' character in www.paypal.com is actually an 'a' from the Cyrillic alphabet, which looks exactly the same as the one in the Latin alphabet.

    BTW, IE doesn't fall for this vulnerability not because MS engineers did a nice job, but because MS doesn't follow standards. IE is URL-encoding the domain name and trying to look up www.p%3Fypal.com instead of the actual domain, which in encoded form is www.xn--pypal-4ve.com (you can see this domain if you examine the certificate).

    There's a way to disable international domains in FF. Type about:config in the URL box and scroll down to network.enableIDN. Double-click to disable.

    J.D.
     
    J.D., Feb 7, 2005 IP
  8. dakar

    dakar Active Member

    Messages:
    203
    Likes Received:
    2
    Best Answers:
    0
    Trophy Points:
    83
    #8
    Imagine that... how long you think it will take M$ to patch IE now to break it?
     
    dakar, Feb 7, 2005 IP
  9. ResaleBroker

    ResaleBroker Active Member

    Messages:
    1,665
    Likes Received:
    50
    Best Answers:
    0
    Trophy Points:
    90
    #9
    Thanks J.D. :)
     
    ResaleBroker, Feb 7, 2005 IP
  10. da22in

    da22in Peon

    Messages:
    42
    Likes Received:
    2
    Best Answers:
    0
    Trophy Points:
    0
    #10
    The Firefox/Mozilla teams will have it patched within a week...if it's patchable. As far as I know Paypal doesn't run it's website without SSL (https ://). If it ain't secured, it ain't Paypal.
     
    da22in, Feb 7, 2005 IP
  11. J.D.

    J.D. Peon

    Messages:
    1,198
    Likes Received:
    64
    Best Answers:
    0
    Trophy Points:
    0
    #11
    Click on this (https://www.pаypal.com/) and look at the bottom right corner where the padlock is. The only way you can see that something's going on is if you look at the certificate, which most people don't do.

    Browsers should display IDN's in different color and should show the domain from the certificate along with its decoded counterpart, if they are different.

    J.D.
     
    J.D., Feb 7, 2005 IP