[Marketing-Public]Non-Microsoft Browsers Have Spoofing Flaw

Omi Azad omi at ekushey.org
Thu, 10 Feb 2005 11:29:17 +0600

All non-Microsoft browers include a flaw that allows URL spoofing using 
Unicode characters, which can be exploited by phishing scams seeking to 
steal login information for online banking accounts. The spoofing flaw, 
which is demonstrated on the web site of the Shmoo Group, works in the 
Firefox, Mozilla and Opera browsers, as well as the Safari browser for Macs.

The spoof exploits flaws in how the browsers interpret Unicode 
characters. A link using Unicode characters to replace the letter "a" in 
"Paypal" will display as www.paypal.com in the browser, but send users 
to www.xn--pypal-4ve.com - which then displays "www.paypal.com" in its 
address bar. A similar spoof works on SSL-enabled URLs (https) commonly 
used on banking and e-commerce sites.

Unicode is a broader character set that includes non-English characters 
as well as symbols, which is being used on the Internet to support 
Internationalized Domain Names (IDN). The affected browsers support IDN, 
while Microsoft's Internet Explorer does not.

The attack can be disabled in Firefox and Mozilla by setting 
'network.enableIDN' to false in the browser's configuration (enter 
about:config in the address bar to access the configuration fucntions). 
There is no known workaround yet for Opera or Safari, according to a 
Bugtraq post from Shmoo, which describes itself as "a non-profit 
think-tank comprised of security professionals" and hosted the Shmoocon 
conference over the weekend.

URL spoofing exploits are useful to Internet phishing scams, making it 
easier to trick victims into sharing sensitive information with bogus 
web sites constructed by fraudsters, which can be coded to present a 
target institution's URL in the address bar. The impact of the spoofing 
flaw is limited by the low usage of non-IE browsers, but comes as 
Firefox is making inroads into Internet Explorer's dominant market 
position, gaining up to 5 percent of users by some accounts.