Skip

IDN browser hacks
February 7, 2005 11:12 AM   Subscribe

Heard about the IDN browser hack? Try out this test page which should open your eyes (the hack is blocked in IE, ironically enough). Here's a list of all affected browsers, ways to fix this in mozilla inside.
posted by mathowie (64 comments total)

 
A new user sent this to me to post, and added the following:
"You can disable IDN support in mozilla products by setting 'network.enableIDN' to false. There is no workaround known for Opera or Safari."

This is obviously something which has to change at the standard level, not the implementation level, but until then... Phishing just got THAT much easier.
posted by mathowie at 11:14 AM on February 7, 2005


Hey Matt,

Bad news... at least on Firefox... you can set this to false, but upon restart the browser sets itself to true again. Try it on the exploit and see. When you re-config it still lists as false but you have to -true-false- again in order to re-false it.

:(
posted by cavalier at 11:18 AM on February 7, 2005


Yikes that's bad! I just turned it off. It sucks that I needed to turn it off.
posted by riffola at 11:18 AM on February 7, 2005


Oh cavalier is correct, Firefox does reenable it.
posted by riffola at 11:20 AM on February 7, 2005


Weee, matt posted my suggestion from email 'cause I'm not authorized to post FPs yet. Here are some other links:

For an example, try clicking these two links, mouseover 'em, whatever, copy/paste into url location bar whatever...
http://www.p?ypal.com/
https://www.p?ypal.com/

And as for a workaround...
"V.Workaround
You can disable IDN support in mozilla products by setting 'network.enableIDN' to false. There is no workaround known for Opera or Safari."

This is obviously something which has to change at the standard level, not the implementation level, but until then... Phishing just got THAT much easier.
posted by unrequited at 11:21 AM on February 7, 2005


Ahhh, well it seems, that even though the links passed through the preview screen of posting, Metafilter is protected against using IDN names... or it doesn't support them heh. Same thing.
posted by unrequited at 11:24 AM on February 7, 2005


It might be helpful to tell us what to expect. Will clicking on the link format our C drives? Will it open up a torrent of spam?

I mean how fun does this link sound:
Heard about the DEATH hack? Click here to try it out
posted by H. Roark at 11:29 AM on February 7, 2005


https://www.pаypal.com/
posted by riffola at 11:31 AM on February 7, 2005


So wait, if the hack works then I should have seen the Spoof PayPal site? I only got a little page with a Meow in the upper left hand corner.
posted by fenriq at 11:32 AM on February 7, 2005


H. Roark, it's just a page that features a word, nothing malicious, it's a demo.

fenriq, I think the site is supposed to show the Meow isntead of the paypal site to show you how even though the url bar indicates the address is correct, it's not Paypal.
posted by riffola at 11:33 AM on February 7, 2005


Can anyone explain this in plain english? The text file describing the hack says that the URL is translated to: www.xn--pypal-4ve.com

...does this mean that the hack requires you to buy a domain based on what you expect the unicode characters to translate to? I'm confused.

For instance, from my understanding, I'd never be able to claim my site was paypal.com in the same way shmoo did since shmoo already bought xn--pypal-4ve.com, but I might be able to pick a different domain name that might also work? For instance, using the code for the second A, rather than the first...?
posted by odinsdream at 11:33 AM on February 7, 2005


riffola, thanks for the explanation. The site could be a little clearer in what's going on.

Isn't the safest thing to do when confronted with an embedded URL, to open a new tab and type in the site you're trying to get to rather than clicking the link?
posted by fenriq at 11:37 AM on February 7, 2005


Fortunately, the less-savvy still use IE and suffer their protection through disability. The more capable web users on more advanced browsers should just be slightly more aware of the pages they're visiting and the emails that they receive.

[telephone help]
If you get an email asking you to log into your account and you believe it to be genuine, follow the link and put junk into the login form.
If it doesn't give you a proper error page or, amazingly, it appears as though you've actually logged in successfully, tell the owners of the genuine site, forwarding the email.
If you don't think it's genuine, delete the email.
[/telephone help]


Happy monday, all.

(on preview: I'm with odinsdream - how can this work at the DNS side?)
posted by NinjaPirate at 11:40 AM on February 7, 2005


Firefox saved the setting for me after I set it to false.

Shut the browser down and brought it up, still good.

For those who don't know, type about:config in the address space, find the network.enableIDN (its alphabetical), then click on it to change the setting.
posted by nofundy at 11:43 AM on February 7, 2005


fenriq - that's my favourite piece of IE tech support ever.
"The most effective step that you can take to help protect yourself from malicious hyperlinks is not to click them. Rather, type the URL of your intended destination in the address bar yourself. By manually typing the URL in the address bar, you can verify the information that Internet Explorer uses to access the destination Web site."

Or, you could go into Options->Settings and untick the box for "Whole Point of the Internet"
posted by NinjaPirate at 11:48 AM on February 7, 2005


In Galeon, when I mouseover the fake URLs, the bar at the bottom grows by a pixel or two in a way that it doesn't for ordinary URLs. Wonder how long it'll take to spoof that as well.

ObConspiracy: this is Redmond's way of scaring off potential switchers to Firefox!

Having set network.enableIDN to false, the only change for me is that it says "can't find paypal.com", without adding "because it's been spelled in a ridiculous way". Better than nothing of course.
posted by Aknaton at 11:50 AM on February 7, 2005


For what it's worth, setting network.enableIDN to false for me, in firefox on Windows, does absolutely nothing. The setting is retained through restarts, but the links still work, and still appear normally.

Even worse, right-clicking and copying a link's destination then pasting it into Notepad is also useless. The only way for me to currently avoid bad links would be to look at the source code for the page and see the funky code.

But, I'd like to ask again, this seems to require that you pick a URL with certain characters, figure out what wacky codes you can use in place of those characters, and then buy a funky domain name based on what you expect the browser to translate it to.

Let me know if I'm wrong, but I don't, for example, see any way to actually implement this hack on my own web server without first shelling out for a domain name, and even then, it's going to require one new domain for each site I want to impersonate.
posted by odinsdream at 11:58 AM on February 7, 2005


I'm with nofundy, it's still set to False after restarting Firefox 1.0 (WinXP Pro).
posted by NoMich at 12:17 PM on February 7, 2005


Here's a safari tip. Go to the phoney paypal link above and double click the word paypal in the address bar. Only the pyal bit gets highlighted (or the "a" on its own if you double click it) because it's not a real a.

Trying it with the kosher paypal site causes the entire paypal word to be highlighted.
posted by tommyc at 12:27 PM on February 7, 2005


...type the URL of your intended destination in the address bar yourself...
Or, much easier, use a handy little freeware program called Typeitin (which I got from a recent MeFi freeware post). Program it for your sensitive URLs, then one click does it all.
posted by weapons-grade pandemonium at 12:28 PM on February 7, 2005


Odinsdream, I believe you are right. But the process of finding a fake URL is basically as simple as looking up a homograph of a single letter in a URL. The IDN (or punycode?) standard will tell you which mangled URL you should buy.

Presumably, you're using a stolen credit card and false information to buy this URL. And you only need the URL for a couple of days, to get information from maybe three or four people. That's a quick couple of thousand bucks.

Phishing aside, you can also use this exploit to create political mayhem. Imagine this email floating around before the next election:

I knew the democrats were evil communists, but check this out! Go to http://www.democrats.org/, and read their latest headline about legalizing gay marriage and euthanasia!

Or think about the fake CNN or NYT stories you could circulate about terrorist attacks, crazy world leaders or celebrity scandals.

It's probably not the end of the world, but imagine what you could do if you could pretend to be any website for one day.
posted by hammurderer at 12:28 PM on February 7, 2005


yo NoMich and nofundy, go back and try to hit the evil link again. You'll find it's still working (thus acting as true) even though the config says false.

fenriq, the idea is, you want to scam people out of their info. You send them to a page that says click here to go to paypal and submit your info. Then they go to www.44---pa--vh--ypal.com, which you registered, and you take their info. Phishing done.
posted by cavalier at 12:28 PM on February 7, 2005


Yikes, that hack beats SpoofStick.

"You can disable IDN support in mozilla products by setting 'network.enableIDN' to false."

How do you do that in Mozilla products? I don't see anything about it in Edit > Preferences.
posted by davy at 12:48 PM on February 7, 2005


As there are many different alphabets out there that have characters similar to the Latin alphabet, and that any given domain name itself has several characters in it that could be spoofed, the number of possible spoofs of a single domain name could easily number in the hundreds or even thousands. For instance, using only the Cyrillic alphabet, as done in the case of substituting &#1072 for 'a', there are substitutions for p, a, and y. Now my combinatorics is a bit rusty, but I believe that makes 91 possible spoofs. Multiply that number by the number of different alphabets supported (ha!) by IDN, and you get a pretty good estimate of the number of possible intentional misspellings. So my point is the possibility for exploitation of is this is not nearly so limited as previous commenters have suggested.
posted by ChasFile at 12:50 PM on February 7, 2005


Listen, I tend to be fairly tech-savvy (inasmuch as my daily computing requires it), but I'm not a programmer/web dev person (and would make a terrible hacker). Thus I have some questions.

Other than the helpful examples given by hammurderer, can someone explain the real-world ramifications of this? (I think I actually get how it works, surprisingly, but extrapolating it to all the possible problems it could cause is beyond my current level of understanding.)

I get that IE users are protected by their own, um, "innocence"-- but as a Firefox user, should I avoid ordering things from online sites, or even entering info into fields until this is resolved? Can Firefox resolve this issue? How can I easily explain to say, my mom, how this affects her and what she should do?
posted by mireille at 1:02 PM on February 7, 2005


can someone explain the real-world ramifications of this?

What if, instead of "meow," the page at the spoofed paypal.com was an exact replica of the paypal homepage? And what if, instead of letting you set up an escrow account, the back-end of the spoof page sent your checking account and credit card numbers you enter into it during the fake "account set-up" process in an email to someone in the cayman islands?
posted by ChasFile at 1:14 PM on February 7, 2005


yo NoMich and nofundy, go back and try to hit the evil link again. You'll find it's still working (thus acting as true) even though the config says false.

Dammit all to hell, yer right. Oh well.
posted by NoMich at 1:23 PM on February 7, 2005


I totally get that (hence my question about ordering online or entering data into fields), and that's actually a good way for me to begin explaining it to an average user (for example, my mom), but is all hope lost? Are the internets officially broken?
posted by mireille at 1:24 PM on February 7, 2005


I'm going to go against the flow here and say "What bug?" As the world becomes more and more unicode, people are going to have to learn that just because two strings look the same doesn't mean they are. Not that this problem only exists in unicode, non-breaking spaces and soft hyphens are a pest in single-byte character sets too, they just happened to never hit DNS. This is a documentation/education problem, not a software problem (not that I've ever liked IDN, but given that it's the only game in town that does anything even remotely like that, it's to be expected that people will use it).

(of course the SSL certificate handling is a bug)
posted by fvw at 1:33 PM on February 7, 2005


fvw, How is this not a bug? If the letter "a" looks exactly like the letter "flubva", and someone writes:

p{flubva}yp{flubva}l.com

...which is displayed as... paypal.com, well, that's a bug.

Just like you wouldn't allow people to register Paypal.com and paypal.com as separate domains, you shouldn't allow visually-identical entries to be registered, either.
posted by odinsdream at 1:44 PM on February 7, 2005


to someone in the cayman islands

I have been to the Cayman Islands. Somebody stole my book whilst I was asleep. Therefore I can coroborate that they are all thieves. Non-tax paying, cultureless, rich thieves.
/ pointless
posted by asok at 2:04 PM on February 7, 2005


Mozilla: Working on finding a good long-term solution; provided clear workaround for disabling IDN.

No luck finding an announcement at mozilla.org. Is network.enableIDN what the above refers to, or is there an official (working) solution available?
posted by nakedcodemonkey at 2:04 PM on February 7, 2005


So make this really simple for me since I'm a moron. I just changed my Firefox browser settings. I shut down the browser and cam back in. It still says 'false' except now I see the 'meow' page which means the hijack works. S what is the solution? Don't click embedded links? Enter the URL each time?
posted by fixedgear at 2:34 PM on February 7, 2005


I'll back odinsdream on this one. The point of DNS is to provide an easy way for humans to remember Internet hosts--I just need to remember "metafilter.com" instead of 69.93.29.234. Since this issue introduces ambiguity, it's a bug--not a divide-by-zero bug, but a bug none the less.

fixedgear, et al. It looks like the about:config doesn't work. Unfortunately, it looks like the safest bet for now is to type the URL of sensitive web sites (eBay, paypal, banks, etc.) into the location bar--or bookmark the valid sites and use your bookmarks.

Let's hope the Mozilla team (and Safari, etc.) find a fix soon.
posted by MikeKD at 3:17 PM on February 7, 2005


For those wondering where to change the network.enableIDN setting, type about:config in the address box.
posted by Manjusri at 3:26 PM on February 7, 2005


S what is the solution? Don't click embedded links? Enter the URL each time?
Use IE?

The thing is that the funky code works even when part of the document text— if you copy this text:

p?ypal.com

And paste it in your address bar, it still leads to the spoofed site.
posted by Firas at 3:27 PM on February 7, 2005 [1 favorite]


How is this not a bug?

It's not a bug because it's working exactly as the standard declares it should work. The problem is with the standard, not the implementation.

Which is not to say that there isn't a problem.

This is a documentation/education problem, not a software problem...

Do you really think that this can be addressed by documentation and education? After all, it's the web, which means that it's used by uneducated people who haven't read any documentation. There's going to have to be some sort of software-level solution. I have no idea what it might look like, though. One possible answer is to come up with a universal character set that eliminates any characters of redundant appearance. Even if that's theoretically possible, though (and I'm not sure that it is), I don't think it's even remotely practical. Are there any ideas for a solution floating around out there?
posted by mr_roboto at 3:27 PM on February 7, 2005


After you set it to False clear your cache and restart Firefox. iit won't be re-enabled.
posted by page404 at 3:46 PM on February 7, 2005


Ok, so I set network.enableIDN to FALSE, cleared my cache repeatedly, restarted the browser, and as far as I can tell the exploit works exactly the same as it did before I set it to FALSE. I see no difference.
posted by Justinian at 4:14 PM on February 7, 2005


I did the same thing with no help! Oh well, back to IE for me.

(But only because I need to confirm my passwords, pins and social security numbers down at Citibank because they might cancel the account I didn't know I had.)
posted by greensweater at 4:22 PM on February 7, 2005


I can confirm what everyone else is saying - setting network.enableIDN to false and clearing the cache and restarting Firefox has no effect at all.
posted by eustacescrubb at 4:36 PM on February 7, 2005


I don't see how this is dangerous if you don't click on links from spam email. My bookmarks are still trustworthy, and I don't click through to shopping sites from suspicious sites anyway (as I would guess most people don't). What am I missing?
posted by _sirmissalot_ at 4:41 PM on February 7, 2005


What am I missing?

erm... a lot? Sir?


sorry.
posted by eustacescrubb at 4:52 PM on February 7, 2005


It's a bug.
posted by muelos at 4:55 PM on February 7, 2005


I would call this a design flaw as opposed to a bug. (muelos' bug link is a bug)

bug = code is not working the way it should
design flaw = code is working the way it should, but the design it is following is faulty

The problem is that you can no longer trust the address bar. No matter how careful you are, chances are there will be someone out there that comes up with a way to exploit it - in a way that is much more clever than the traditional "please verify your account details" type email exploit that we all know to avoid. [We all know that, right? :) ]
posted by Bort at 4:59 PM on February 7, 2005


How often do you people go to your banks or paypal from links sent to you in random emails?
posted by Iax at 4:59 PM on February 7, 2005


This is fun! Guess which words were written using the keyboard and which were written using Unicode HTML entities (without looking at the source):

сот
COT
cap
сар

or, for the trolls....

nytimes.com
nуtimеs.com
posted by MikeKD at 5:12 PM on February 7, 2005


(imagine I spent the $35 or so dollars and didn't want my mefi account anymore)
posted by MikeKD at 5:14 PM on February 7, 2005


Bort: The "bug" part of this problem is that toggling 'network.enableIDN' doesn't work as it should.
posted by muelos at 5:41 PM on February 7, 2005


Is it just me or are the faked characters appearing in a different font for everyone? On my system (old slackware with all the fonts including eastern european), it spells out paypal.com, but the bad a looks totally different.

MikeKD: the middle two look normal to me. The 2nd NYT is definitely the fake, without even clicking on it (glad I did the mouseover!). There is a serious font mismatch, including a huge amount of whitespace either side of the characters.
posted by polyglot at 8:04 PM on February 7, 2005


The font difference is much more subtle on mine (OS X; Firefox), but it's definitely there. The lettering looks nearly identical, just with thinner strokes that make the words wind up a touch shorter.

Maybe our default text fonts don't support the Unicode charset, so the browser is substituting a font that does?
posted by nakedcodemonkey at 9:11 PM on February 7, 2005


More testing confirms that FF is definitely applying a different set of rules to the Unicode text. Try this for fun: * {font-family: Webdings !important;}. The Unicode text is the only thing on the page that doesn't accept the style change.
posted by nakedcodemonkey at 9:37 PM on February 7, 2005


I did the 5:12p comment from my work machine (Win XP) and it looked pretty similar, but on my Linux laptop, there definitely is a difference. And, poly, I was probably being too obtuse with the nytimes links. It was meant to be a counterpoint to Iax's comment: Essentially, you may think that link you select is to nytimes (or cnn, or fox, etc.), but instead some shocktroll bought the cyrillic version and is hosting goatse from there. (In case anyone's worried, the link goes to Wikipedia's shocksite entry--no pictures.)
posted by MikeKD at 9:54 PM on February 7, 2005


A lurker has (in his words) hunted me down and sent a link which describes how to fix the IDN issue on Firefox a little more permanently. Click on the Sticky "IDN Spoofing Issue" topic, probably 3rd from the top.

Follow the link at your peril :)
posted by polyglot at 10:54 PM on February 7, 2005


For those who like me are more interested in the abstract 'gee, how is this worked around?' issue: http://james.seng.cc/archives/2005/02/08/idn_and_homographs_spoofing.html
posted by Firas at 11:17 PM on February 7, 2005 [1 favorite]


i wrote a little extension that gives a warning if the current url contains international characters.

this is just a proof of concept extension

the extension would be very annoying if you normally viewed international sites since it informs the user using a dialog

there are also some other situations where it won't warn the user. like if the page is loaded in a frameset .. etc

i think the best solution is to have a warning box like the popup blocker one that is configurable to warn either when there is international characters or when certain international characters are used
posted by drscroogemcduck at 12:47 AM on February 8, 2005


Firefox/Mozilla will probably implement a stopgap measure for this. I would think a warning that comes up when you click on a link containing special characters, warning you that it will contact so-and-so instead of paypal.com. Most people will ignore the warning, so the design problem will still be there :)

As for IE, it can be vulnerable. The thing is that it doesn't support IDN by default. If you get a plugin to support this standard (like microsoft suggests), IE gets bitten just as hard as every other browser. Again, this is bad design on the standard's part, not the browser's fault really (although browser/plugin manufacturers will be the one to mitigate the issue).
posted by splice at 3:49 AM on February 8, 2005


A lurker has (in his words) hunted me down and sent a link which describes how to fix the IDN issue on Firefox a little more permanently. Click on the Sticky "IDN Spoofing Issue" topic, probably 3rd from the top.


Thanks polyglot. I am not computer savvy, but followed these instructions to the letter (except I used Notepad) and it works.

Hanging with guys like you has taken away my fear of computers because I've learned to follow instructions instead of trying to blunder through myself :-)
posted by essexjan at 7:05 AM on February 8, 2005


As the world becomes more and more unicode, people are going to have to learn that just because two strings look the same doesn't mean they are.

So you're saying that people should have to adapt to the quirks of computers, rather than the other way around?
posted by DevilsAdvocate at 8:25 AM on February 8, 2005


I actually found one of these fake Paypal spams in my junkmail box a week or so ago. The message was alerting me, ironically, to possible misuse of my Paypal account--charges being made in several foreign countries, etc. To remedy this, I was to follow the link to paypal in my email and "reverify" my user ID and password. I did follow the link, just to see where it would go, and it did indeed take me to a page that looked like Paypal. However, the poor grammar and spelling in the email suggested to me that entering my info would have been an error.
I really like Firefox. I will attempt the fix.
posted by apis mellifera at 10:29 AM on February 8, 2005


The fix has been fixed. For some reason, a new FPP was opened instead of posting it here.
posted by nakedcodemonkey at 11:03 AM on February 8, 2005


Apis, that's actually a general Paypal spam scam going along for a while (I get it every couple of days to different accounts). It doesn't rely on the noted hack but if you think about it, if coupled with this hack, it'll be would be uncool to the nth degree.
posted by nakedgremlin at 3:23 PM on February 8, 2005


Because I am not an uber-geek and none of this makes any sense to me at all, I will continue to deal with these scams the way I always have. I get bunches of scam emails from PayPal, Amazon, Bank of America, and other places I have accounts all the time telling me I need to verify, validate, update or in some other way provide my information to them again to solve some sort of problem with my account. I never click the link in the email. I don't even copy and paste the emailed link into my browser. I have perfectly reliable bookmarks to every web site I hold an account at. If the email is convincing enough that I think I should be concerned (and most of them just aren't that convincing), I use my bookmark which takes me directly to the site that I know is the real thing and log in to see if I actually need to do any of these things that these emails insist I need to do. If there is a real problem with your account somewhere, you will know it as soon as you log into the "real" web site.

Besides, all the examples that people have provided here, the address in the address bar of my browser still looks entirely different from the actual "real" address and wouldn't fool me even if the site looked identical to the real deal. I guess I don't get how so many people can be fooled this way.
posted by Orb at 4:03 PM on February 8, 2005


i'm with sirmissalot (and many others). why or how on earth would you ever click on one of these links? i mean, it's not like i access my credit-card account from some porn site.

the unicode also looks distinctly different on OSX Firefox. but somebody already said that too. still, interesting "design flaw" - i also don't think it's a "bug." i'm interested to see what it looks like on a PC.
posted by mrgrimm at 8:16 PM on February 8, 2005


« Older Screencasts - movies of software   |   Next generation chips and DVDs Newer »


This thread has been archived and is closed to new comments



Post