Vigil@nce - Chrome, Firefox: site spoofing via homographs
June 2017 by Vigil@nce
This bulletin was written by Vigil@nce : https://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can use a url with Unicode characters looking like
ASCII characters, in order to deceive the victim.
Impacted products: Chrome, Firefox, SeaMonkey, Opera.
Severity: 2/4.
Creation date: 18/04/2017.
DESCRIPTION OF THE VULNERABILITY
Several Unicode characters (such as U+0430) look like the ASCII
’a’ character. Some attackers use domain names containing these
variants, in order to invite the victim to click on a link.
This type of attack, based on homographs, was already described in
several bulletins (VIGILANCE-VUL-4729 and VIGILANCE-VUL-8497).
Fixes are applied in most software.
However, when the name is only composed of Unicode characters, the
Chrome and Firefox protections are bypassed. For example,
https://xn--e1awd7f.com/ is displayed as https://www.epic.com/.
Moreover, as a valid certificate for this domain can be obtained
via Let’s Encrypt, an attacker can easily spoof a TLS site.
An attacker can therefore use a url with Unicode characters
looking like ASCII characters, in order to deceive the victim.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
https://vigilance.fr/vulnerability/Chrome-Firefox-site-spoofing-via-homographs-22467