 |
 Non-Microsoft browsers vulnerable to a URL spoof
February 8, 2005
A security loophole in Mozilla, Firefox and Konqueror browsers could be used to spoof the URL displayed in the address bar, SSL certificate and status bar, security expert said. The vulnerability stems from a flawed IDN, or International Domain Name processing within the affected browsers.
This vulnerability creates a world full of possibilities for cyber scammers to stage their phishing attacks, the ones that involve similar-looking maliciously created websites to con people into submitting their credit card numbers and resource access passwords to the bogus web forms.
The problem arises because certain browsers support a standardized way of representing domain names in the letters or characters of any language, security expert Eric Johanson said at the ShmooCon hacker convention this weekend. Called Internationalized Domain Names, the standard allows companies to register domain names that appear to be the same in different languages.
The Mozilla Foundation is looking for a long-term solution to the issue, Chris Hofmann, director of engineering at the company, said in a statement.
"With the increase in phishing attacks, there is a growing concern that exploits could take advantage of this feature to trick users into visiting rogue sites," Hofmann stated. "Mozilla is looking at options for fixing or disabling this feature and should have more information available very soon."
It's been a common problem with most of Windows programs to sometimes display characters that look incredibly alike: symbols "1" (one) will look very close to the "l" (lower-case for "L"), and "0" (zero) will be similar to capital "O", so that in the address bar they will look much the same.
Additionally, with domain registrars allowing people to have their site names written in international symbols, such as the symbol "[" when typed using the German layout becoming English's "u" with two tiny dots above, prank masters can register their site with a name www.f("[" in German layout becoming English "u" in an address bar)n.com, which will look similar to www.fun.com in the page's address but will have nothing in common to a legitimate original fun.com site.
Most users won't see this change, and can therefore become victims to such type of fraud involving the phishing tools to attract people.
That encoding scheme could enable an attacker to create a fake Web site for a phishing scam. A spoofed link would seem to be a legitimate URL in the address bar of affected browsers—Opera, Apple Computer's Safari, and the Mozilla and Firefox browsers from the Mozilla Foundation. But instead of taking the victim to the trusted site, the link would lead to a phony Web site with a domain rendered as the same address under the IDN process.
The bug has been confirmed in Mozilla 1.7.5, Firefox 1.0, Konqueror 3.2.2 and Opera 7.54. Other versions may also be affected, a security company Secunia reports. Internet Explorer users are exempt from this bug, although are still subject to flaws that have a similar effect. You can check if your browser is affected using Secunia's URL spoofing test.
|
|
