Comments on: IDN browser hacks

IDN browser hacks

mathowie — Mon, 07 Feb 2005 11:12:48 -0800

Heard about the IDN browser hack? Try out this test page which should open your eyes (the hack is blocked in IE, ironically enough). Here's a list of all affected browsers, ways to fix this in mozilla inside.

By: mathowie

mathowie — Mon, 07 Feb 2005 11:14:49 -0800

A new user sent this to me to post, and added the following:

"You can disable IDN support in mozilla products by setting 'network.enableIDN' to false. There is no workaround known for Opera or Safari." This is obviously something which has to change at the standard level, not the implementation level, but until then... Phishing just got THAT much easier.

By: cavalier

cavalier — Mon, 07 Feb 2005 11:18:06 -0800

Hey Matt, Bad news... at least on Firefox... you can set this to false, but upon restart the browser sets itself to true again. Try it on the exploit and see. When you re-config it still lists as false but you have to -true-false- again in order to re-false it. :(

By: riffola

riffola — Mon, 07 Feb 2005 11:18:12 -0800

Yikes that's bad! I just turned it off. It sucks that I needed to turn it off.

By: riffola

riffola — Mon, 07 Feb 2005 11:20:37 -0800

Oh cavalier is correct, Firefox does reenable it.

By: unrequited

unrequited — Mon, 07 Feb 2005 11:21:25 -0800

Weee, matt posted my suggestion from email 'cause I'm not authorized to post FPs yet. Here are some other links: For an example, try clicking these two links, mouseover 'em, whatever, copy/paste into url location bar whatever... http://www.p?ypal.com/ https://www.p?ypal.com/ And as for a workaround... "V.Workaround You can disable IDN support in mozilla products by setting 'network.enableIDN' to false. There is no workaround known for Opera or Safari." This is obviously something which has to change at the standard level, not the implementation level, but until then... Phishing just got THAT much easier.

By: unrequited

unrequited — Mon, 07 Feb 2005 11:24:52 -0800

Ahhh, well it seems, that even though the links passed through the preview screen of posting, Metafilter is protected against using IDN names... or it doesn't support them heh. Same thing.

By: H. Roark

H. Roark — Mon, 07 Feb 2005 11:29:25 -0800

It might be helpful to tell us what to expect. Will clicking on the link format our C drives? Will it open up a torrent of spam? I mean how fun does this link sound: Heard about the DEATH hack? Click here to try it out

By: riffola

riffola — Mon, 07 Feb 2005 11:31:40 -0800

https://www.pаypal.com/

By: fenriq

fenriq — Mon, 07 Feb 2005 11:32:25 -0800

So wait, if the hack works then I should have seen the Spoof PayPal site? I only got a little page with a Meow in the upper left hand corner.

By: riffola

riffola — Mon, 07 Feb 2005 11:33:44 -0800

H. Roark, it's just a page that features a word, nothing malicious, it's a demo. fenriq, I think the site is supposed to show the Meow isntead of the paypal site to show you how even though the url bar indicates the address is correct, it's not Paypal.

By: odinsdream

odinsdream — Mon, 07 Feb 2005 11:33:46 -0800

Can anyone explain this in plain english? The text file describing the hack says that the URL is translated to: www.xn--pypal-4ve.com ...does this mean that the hack requires you to buy a domain based on what you expect the unicode characters to translate to? I'm confused. For instance, from my understanding, I'd never be able to claim my site was paypal.com in the same way shmoo did since shmoo already bought xn--pypal-4ve.com, but I might be able to pick a different domain name that might also work? For instance, using the code for the second A, rather than the first...?

By: fenriq

fenriq — Mon, 07 Feb 2005 11:37:24 -0800

riffola, thanks for the explanation. The site could be a little clearer in what's going on. Isn't the safest thing to do when confronted with an embedded URL, to open a new tab and type in the site you're trying to get to rather than clicking the link?

By: NinjaPirate

NinjaPirate — Mon, 07 Feb 2005 11:40:41 -0800

Fortunately, the less-savvy still use IE and suffer their protection through disability. The more capable web users on more advanced browsers should just be slightly more aware of the pages they're visiting and the emails that they receive. [telephone help] If you get an email asking you to log into your account and you believe it to be genuine, follow the link and put junk into the login form. If it doesn't give you a proper error page or, amazingly, it appears as though you've actually logged in successfully, tell the owners of the genuine site, forwarding the email. If you don't think it's genuine, delete the email. [/telephone help] Happy monday, all. (on preview: I'm with odinsdream - how can this work at the DNS side?)

By: nofundy

nofundy — Mon, 07 Feb 2005 11:43:04 -0800

Firefox saved the setting for me after I set it to false. Shut the browser down and brought it up, still good. For those who don't know, type about:config in the address space, find the network.enableIDN (its alphabetical), then click on it to change the setting.

By: NinjaPirate

NinjaPirate — Mon, 07 Feb 2005 11:48:30 -0800

fenriq - that's my favourite piece of IE tech support ever. "The most effective step that you can take to help protect yourself from malicious hyperlinks is not to click them. Rather, type the URL of your intended destination in the address bar yourself. By manually typing the URL in the address bar, you can verify the information that Internet Explorer uses to access the destination Web site." Or, you could go into Options->Settings and untick the box for "Whole Point of the Internet"

By: Aknaton

Aknaton — Mon, 07 Feb 2005 11:50:55 -0800

In Galeon, when I mouseover the fake URLs, the bar at the bottom grows by a pixel or two in a way that it doesn't for ordinary URLs. Wonder how long it'll take to spoof that as well. ObConspiracy: this is Redmond's way of scaring off potential switchers to Firefox! Having set network.enableIDN to false, the only change for me is that it says "can't find paypal.com", without adding "because it's been spelled in a ridiculous way". Better than nothing of course.

By: odinsdream

odinsdream — Mon, 07 Feb 2005 11:58:03 -0800

For what it's worth, setting network.enableIDN to false for me, in firefox on Windows, does absolutely nothing. The setting is retained through restarts, but the links still work, and still appear normally. Even worse, right-clicking and copying a link's destination then pasting it into Notepad is also useless. The only way for me to currently avoid bad links would be to look at the source code for the page and see the funky code. But, I'd like to ask again, this seems to require that you pick a URL with certain characters, figure out what wacky codes you can use in place of those characters, and then buy a funky domain name based on what you expect the browser to translate it to. Let me know if I'm wrong, but I don't, for example, see any way to actually implement this hack on my own web server without first shelling out for a domain name, and even then, it's going to require one new domain for each site I want to impersonate.

By: NoMich

NoMich — Mon, 07 Feb 2005 12:17:42 -0800

I'm with nofundy, it's still set to False after restarting Firefox 1.0 (WinXP Pro).

By: tommyc

tommyc — Mon, 07 Feb 2005 12:27:41 -0800

Here's a safari tip. Go to the phoney paypal link above and double click the word paypal in the address bar. Only the pyal bit gets highlighted (or the "a" on its own if you double click it) because it's not a real a. Trying it with the kosher paypal site causes the entire paypal word to be highlighted.

By: weapons-grade pandemonium

weapons-grade pandemonium — Mon, 07 Feb 2005 12:28:03 -0800

...type the URL of your intended destination in the address bar yourself... Or, much easier, use a handy little freeware program called Typeitin (which I got from a recent MeFi freeware post). Program it for your sensitive URLs, then one click does it all.

By: hammurderer

hammurderer — Mon, 07 Feb 2005 12:28:28 -0800

Odinsdream, I believe you are right. But the process of finding a fake URL is basically as simple as looking up a homograph of a single letter in a URL. The IDN (or punycode?) standard will tell you which mangled URL you should buy. Presumably, you're using a stolen credit card and false information to buy this URL. And you only need the URL for a couple of days, to get information from maybe three or four people. That's a quick couple of thousand bucks. Phishing aside, you can also use this exploit to create political mayhem. Imagine this email floating around before the next election: I knew the democrats were evil communists, but check this out! Go to http://www.democrats.org/, and read their latest headline about legalizing gay marriage and euthanasia! Or think about the fake CNN or NYT stories you could circulate about terrorist attacks, crazy world leaders or celebrity scandals. It's probably not the end of the world, but imagine what you could do if you could pretend to be any website for one day.

By: cavalier

cavalier — Mon, 07 Feb 2005 12:28:32 -0800

yo NoMich and nofundy, go back and try to hit the evil link again. You'll find it's still working (thus acting as true) even though the config says false. fenriq, the idea is, you want to scam people out of their info. You send them to a page that says click here to go to paypal and submit your info. Then they go to www.44---pa--vh--ypal.com, which you registered, and you take their info. Phishing done.

By: davy

davy — Mon, 07 Feb 2005 12:48:23 -0800

Yikes, that hack beats SpoofStick. "You can disable IDN support in mozilla products by setting 'network.enableIDN' to false." How do you do that in Mozilla products? I don't see anything about it in Edit > Preferences.

By: ChasFile

ChasFile — Mon, 07 Feb 2005 12:50:52 -0800

As there are many different alphabets out there that have characters similar to the Latin alphabet, and that any given domain name itself has several characters in it that could be spoofed, the number of possible spoofs of a single domain name could easily number in the hundreds or even thousands. For instance, using only the Cyrillic alphabet, as done in the case of substituting &#1072 for 'a', there are substitutions for p, a, and y. Now my combinatorics is a bit rusty, but I believe that makes 91 possible spoofs. Multiply that number by the number of different alphabets supported (ha!) by IDN, and you get a pretty good estimate of the number of possible intentional misspellings. So my point is the possibility for exploitation of is this is not nearly so limited as previous commenters have suggested.

By: mireille

mireille — Mon, 07 Feb 2005 13:02:23 -0800

Listen, I tend to be fairly tech-savvy (inasmuch as my daily computing requires it), but I'm not a programmer/web dev person (and would make a terrible hacker). Thus I have some questions. Other than the helpful examples given by hammurderer, can someone explain the real-world ramifications of this? (I think I actually get how it works, surprisingly, but extrapolating it to all the possible problems it could cause is beyond my current level of understanding.) I get that IE users are protected by their own, um, "innocence"-- but as a Firefox user, should I avoid ordering things from online sites, or even entering info into fields until this is resolved? Can Firefox resolve this issue? How can I easily explain to say, my mom, how this affects her and what she should do?

By: ChasFile

ChasFile — Mon, 07 Feb 2005 13:14:35 -0800

can someone explain the real-world ramifications of this? What if, instead of "meow," the page at the spoofed paypal.com was an exact replica of the paypal homepage? And what if, instead of letting you set up an escrow account, the back-end of the spoof page sent your checking account and credit card numbers you enter into it during the fake "account set-up" process in an email to someone in the cayman islands?

By: NoMich

NoMich — Mon, 07 Feb 2005 13:23:43 -0800

yo NoMich and nofundy, go back and try to hit the evil link again. You'll find it's still working (thus acting as true) even though the config says false. Dammit all to hell, yer right. Oh well.

By: mireille

mireille — Mon, 07 Feb 2005 13:24:01 -0800

I totally get that (hence my question about ordering online or entering data into fields), and that's actually a good way for me to begin explaining it to an average user (for example, my mom), but is all hope lost? Are the internets officially broken?

By: fvw

fvw — Mon, 07 Feb 2005 13:33:59 -0800

I'm going to go against the flow here and say "What bug?" As the world becomes more and more unicode, people are going to have to learn that just because two strings look the same doesn't mean they are. Not that this problem only exists in unicode, non-breaking spaces and soft hyphens are a pest in single-byte character sets too, they just happened to never hit DNS. This is a documentation/education problem, not a software problem (not that I've ever liked IDN, but given that it's the only game in town that does anything even remotely like that, it's to be expected that people will use it). (of course the SSL certificate handling is a bug)

By: odinsdream

odinsdream — Mon, 07 Feb 2005 13:44:38 -0800

fvw, How is this not a bug? If the letter "a" looks exactly like the letter "flubva", and someone writes: p{flubva}yp{flubva}l.com ...which is displayed as... paypal.com, well, that's a bug. Just like you wouldn't allow people to register Paypal.com and paypal.com as separate domains, you shouldn't allow visually-identical entries to be registered, either.

By: asok

asok — Mon, 07 Feb 2005 14:04:20 -0800

to someone in the cayman islands I have been to the Cayman Islands. Somebody stole my book whilst I was asleep. Therefore I can coroborate that they are all thieves. Non-tax paying, cultureless, rich thieves. / pointless

By: nakedcodemonkey

nakedcodemonkey — Mon, 07 Feb 2005 14:04:54 -0800

Mozilla: Working on finding a good long-term solution; provided clear workaround for disabling IDN. No luck finding an announcement at mozilla.org. Is network.enableIDN what the above refers to, or is there an official (working) solution available?

By: fixedgear

fixedgear — Mon, 07 Feb 2005 14:34:02 -0800

So make this really simple for me since I'm a moron. I just changed my Firefox browser settings. I shut down the browser and cam back in. It still says 'false' except now I see the 'meow' page which means the hijack works. S what is the solution? Don't click embedded links? Enter the URL each time?

By: MikeKD

MikeKD — Mon, 07 Feb 2005 15:17:56 -0800

I'll back odinsdream on this one. The point of DNS is to provide an easy way for humans to remember Internet hosts--I just need to remember "metafilter.com" instead of 69.93.29.234. Since this issue introduces ambiguity, it's a bug--not a divide-by-zero bug, but a bug none the less. fixedgear, et al. It looks like the about:config doesn't work. Unfortunately, it looks like the safest bet for now is to type the URL of sensitive web sites (eBay, paypal, banks, etc.) into the location bar--or bookmark the valid sites and use your bookmarks. Let's hope the Mozilla team (and Safari, etc.) find a fix soon.

By: Manjusri

Manjusri — Mon, 07 Feb 2005 15:26:56 -0800

For those wondering where to change the network.enableIDN setting, type about:config in the address box.

By: Firas

Firas — Mon, 07 Feb 2005 15:27:33 -0800

S what is the solution? Don't click embedded links? Enter the URL each time?

Use IE? The thing is that the funky code works even when part of the document text— if you copy this text: p?ypal.com And paste it in your address bar, it still leads to the spoofed site.

By: mr_roboto

mr_roboto — Mon, 07 Feb 2005 15:27:50 -0800

How is this not a bug? It's not a bug because it's working exactly as the standard declares it should work. The problem is with the standard, not the implementation. Which is not to say that there isn't a problem. This is a documentation/education problem, not a software problem... Do you really think that this can be addressed by documentation and education? After all, it's the web, which means that it's used by uneducated people who haven't read any documentation. There's going to have to be some sort of software-level solution. I have no idea what it might look like, though. One possible answer is to come up with a universal character set that eliminates any characters of redundant appearance. Even if that's theoretically possible, though (and I'm not sure that it is), I don't think it's even remotely practical. Are there any ideas for a solution floating around out there?

By: page404

page404 — Mon, 07 Feb 2005 15:46:47 -0800

After you set it to False clear your cache and restart Firefox. iit won't be re-enabled.

By: Justinian

Justinian — Mon, 07 Feb 2005 16:14:39 -0800

Ok, so I set network.enableIDN to FALSE, cleared my cache repeatedly, restarted the browser, and as far as I can tell the exploit works exactly the same as it did before I set it to FALSE. I see no difference.

By: greensweater

greensweater — Mon, 07 Feb 2005 16:22:27 -0800

I did the same thing with no help! Oh well, back to IE for me. (But only because I need to confirm my passwords, pins and social security numbers down at Citibank because they might cancel the account I didn't know I had.)

By: eustacescrubb

eustacescrubb — Mon, 07 Feb 2005 16:36:30 -0800

I can confirm what everyone else is saying - setting network.enableIDN to false and clearing the cache and restarting Firefox has no effect at all.

By: _sirmissalot_

_sirmissalot_ — Mon, 07 Feb 2005 16:41:48 -0800

I don't see how this is dangerous if you don't click on links from spam email. My bookmarks are still trustworthy, and I don't click through to shopping sites from suspicious sites anyway (as I would guess most people don't). What am I missing?

By: eustacescrubb

eustacescrubb — Mon, 07 Feb 2005 16:52:16 -0800

What am I missing? erm... a lot? Sir? sorry.

By: muelos

muelos — Mon, 07 Feb 2005 16:55:33 -0800

It's a bug.

By: Bort

Bort — Mon, 07 Feb 2005 16:59:54 -0800

I would call this a design flaw as opposed to a bug. (muelos' bug link is a bug) bug = code is not working the way it should design flaw = code is working the way it should, but the design it is following is faulty The problem is that you can no longer trust the address bar. No matter how careful you are, chances are there will be someone out there that comes up with a way to exploit it - in a way that is much more clever than the traditional "please verify your account details" type email exploit that we all know to avoid. [We all know that, right? :) ]

By: Iax

Iax — Mon, 07 Feb 2005 16:59:56 -0800

How often do you people go to your banks or paypal from links sent to you in random emails?

By: MikeKD

MikeKD — Mon, 07 Feb 2005 17:12:58 -0800

This is fun! Guess which words were written using the keyboard and which were written using Unicode HTML entities (without looking at the source): сот COT cap сар or, for the trolls.... nytimes.com nуtimеs.com

By: MikeKD

MikeKD — Mon, 07 Feb 2005 17:14:43 -0800

(imagine I spent the $35 or so dollars and didn't want my mefi account anymore)

By: muelos

muelos — Mon, 07 Feb 2005 17:41:34 -0800

Bort: The "bug" part of this problem is that toggling 'network.enableIDN' doesn't work as it should.

By: polyglot

polyglot — Mon, 07 Feb 2005 20:04:58 -0800

Is it just me or are the faked characters appearing in a different font for everyone? On my system (old slackware with all the fonts including eastern european), it spells out paypal.com, but the bad a looks totally different.
MikeKD: the middle two look normal to me. The 2nd NYT is definitely the fake, without even clicking on it (glad I did the mouseover!). There is a serious font mismatch, including a huge amount of whitespace either side of the characters.

By: nakedcodemonkey

nakedcodemonkey — Mon, 07 Feb 2005 21:11:22 -0800

The font difference is much more subtle on mine (OS X; Firefox), but it's definitely there. The lettering looks nearly identical, just with thinner strokes that make the words wind up a touch shorter. Maybe our default text fonts don't support the Unicode charset, so the browser is substituting a font that does?

By: nakedcodemonkey

nakedcodemonkey — Mon, 07 Feb 2005 21:37:11 -0800

More testing confirms that FF is definitely applying a different set of rules to the Unicode text. Try this for fun: * {font-family: Webdings !important;}. The Unicode text is the only thing on the page that doesn't accept the style change.

By: MikeKD

MikeKD — Mon, 07 Feb 2005 21:54:30 -0800

I did the 5:12p comment from my work machine (Win XP) and it looked pretty similar, but on my Linux laptop, there definitely is a difference. And, poly, I was probably being too obtuse with the nytimes links. It was meant to be a counterpoint to Iax's comment: Essentially, you may think that link you select is to nytimes (or cnn, or fox, etc.), but instead some shocktroll bought the cyrillic version and is hosting goatse from there. (In case anyone's worried, the link goes to Wikipedia's shocksite entry--no pictures.)

By: polyglot

polyglot — Mon, 07 Feb 2005 22:54:32 -0800

By: Firas

Firas — Mon, 07 Feb 2005 23:17:30 -0800

For those who like me are more interested in the abstract 'gee, how is this worked around?' issue: http://james.seng.cc/archives/2005/02/08/idn_and_homographs_spoofing.html

By: drscroogemcduck

drscroogemcduck — Tue, 08 Feb 2005 00:47:25 -0800

i wrote a little extension that gives a warning if the current url contains international characters. this is just a proof of concept extension the extension would be very annoying if you normally viewed international sites since it informs the user using a dialog there are also some other situations where it won't warn the user. like if the page is loaded in a frameset .. etc i think the best solution is to have a warning box like the popup blocker one that is configurable to warn either when there is international characters or when certain international characters are used

By: splice

splice — Tue, 08 Feb 2005 03:49:43 -0800

Firefox/Mozilla will probably implement a stopgap measure for this. I would think a warning that comes up when you click on a link containing special characters, warning you that it will contact so-and-so instead of paypal.com. Most people will ignore the warning, so the design problem will still be there :) As for IE, it can be vulnerable. The thing is that it doesn't support IDN by default. If you get a plugin to support this standard (like microsoft suggests), IE gets bitten just as hard as every other browser. Again, this is bad design on the standard's part, not the browser's fault really (although browser/plugin manufacturers will be the one to mitigate the issue).

By: essexjan

essexjan — Tue, 08 Feb 2005 07:05:01 -0800

A lurker has (in his words) hunted me down and sent a link which describes how to fix the IDN issue on Firefox a little more permanently. Click on the Sticky "IDN Spoofing Issue" topic, probably 3rd from the top. Thanks polyglot. I am not computer savvy, but followed these instructions to the letter (except I used Notepad) and it works. Hanging with guys like you has taken away my fear of computers because I've learned to follow instructions instead of trying to blunder through myself :-)

By: DevilsAdvocate

DevilsAdvocate — Tue, 08 Feb 2005 08:25:35 -0800

As the world becomes more and more unicode, people are going to have to learn that just because two strings look the same doesn't mean they are. So you're saying that people should have to adapt to the quirks of computers, rather than the other way around?

By: apis mellifera

apis mellifera — Tue, 08 Feb 2005 10:29:21 -0800

I actually found one of these fake Paypal spams in my junkmail box a week or so ago. The message was alerting me, ironically, to possible misuse of my Paypal account--charges being made in several foreign countries, etc. To remedy this, I was to follow the link to paypal in my email and "reverify" my user ID and password. I did follow the link, just to see where it would go, and it did indeed take me to a page that looked like Paypal. However, the poor grammar and spelling in the email suggested to me that entering my info would have been an error. I really like Firefox. I will attempt the fix.

By: nakedcodemonkey

nakedcodemonkey — Tue, 08 Feb 2005 11:03:19 -0800

The fix has been fixed. For some reason, a new FPP was opened instead of posting it here.

By: nakedgremlin

nakedgremlin — Tue, 08 Feb 2005 15:23:43 -0800

Apis, that's actually a general Paypal spam scam going along for a while (I get it every couple of days to different accounts). It doesn't rely on the noted hack but if you think about it, if coupled with this hack, it'll be would be uncool to the nth degree.

By: Orb

Orb — Tue, 08 Feb 2005 16:03:01 -0800

Because I am not an uber-geek and none of this makes any sense to me at all, I will continue to deal with these scams the way I always have. I get bunches of scam emails from PayPal, Amazon, Bank of America, and other places I have accounts all the time telling me I need to verify, validate, update or in some other way provide my information to them again to solve some sort of problem with my account. I never click the link in the email. I don't even copy and paste the emailed link into my browser. I have perfectly reliable bookmarks to every web site I hold an account at. If the email is convincing enough that I think I should be concerned (and most of them just aren't that convincing), I use my bookmark which takes me directly to the site that I know is the real thing and log in to see if I actually need to do any of these things that these emails insist I need to do. If there is a real problem with your account somewhere, you will know it as soon as you log into the "real" web site. Besides, all the examples that people have provided here, the address in the address bar of my browser still looks entirely different from the actual "real" address and wouldn't fool me even if the site looked identical to the real deal. I guess I don't get how so many people can be fooled this way.

By: mrgrimm

mrgrimm — Tue, 08 Feb 2005 20:16:28 -0800

i'm with sirmissalot (and many others). why or how on earth would you ever click on one of these links? i mean, it's not like i access my credit-card account from some porn site. the unicode also looks distinctly different on OSX Firefox. but somebody already said that too. still, interesting "design flaw" - i also don't think it's a "bug." i'm interested to see what it looks like on a PC.