Firefox browser exploit discovered on all non IE browsers! Mozilla, Opera, Safari affected
Oh crap, just discovered this through BoingBoing. Looks like an east coast hacker convention Shmoocon has discovered a serious bug in many non Explorer browsers. Firefox, Mozilla, Opera, Safari all affected. There is now a way to spoof even SSL urls.
For the non technical, it is now possible for phishing emails to put bogus links to official looking but fake versions of major commercial sites like Paypal or Amazon while disguising the bogus links when a user mouse overs the link.
An example is show on this page.
http://www.shmoo.com/idn/
Hover your mouse over the links. The top link points to what appears to be the regular Paypal link. The second link points to the seemingly secure Paypal site. Now click on both those links. Not Paypal is it?
The Firefox/Mozilla fix is copied and pasted below.
1) Goto your Firefox address bar. Enter about:config and press enter. Firefox will load the (large!) config page.
2) Scroll down to the line beginning network.enableIDN—this is International Domain Name support, and it is causing the problem here. We want to turn this off—for now. Ideally we want to support international domain names, but not with this problem.
3) Double-click the network.enableIDN label, and Firefox will show a dialog set to ‘true’. Change it to ‘false’ (no quotes!), click Ok. You are done.
4) Go check out the shmoo demo again and notice it no longer works.
{embed="video-games/dpadz-ads3x25"}
Snip from the Shmoo page.
2002 - Original paper published on homograph attacks
2002-2005 - Verisign pushes IDN, and browsers start adding support for it
Jan 19, 2005 - Vendors notified of vulnerability
Feb 6, 2005 - Public disclosure @shmoocon 2005
Vendor Responses
Verisign: No response yet.
Apple: No response yet.
Opera: They believe they have correctly implemented IDN, and will not be
making any changes.
Mozilla: Working on finding a good long-term solution; provided clear workaround for disabling IDN.
RSS 2.0
Atom