Last month, I predicted that as Firefox became more popular it would face more and more attacks from the Internet’s dark side. A security bulletin issued today appears to identify the first widespread security exploit aimed at non-Microsoft browsers. Ironically, you’re protected if you use Internet Explorer, but you’re vulnerable if you use most Mozilla-based browsers, including Firefox 1.0; this vulnerability also affects Safari 1.2.5 (Macintosh) and Opera 7.54, and perhaps other versions of those browsers as well. Here’s how it works:
You visit an innocent-looking Web page or receive a seemingly authentic e-mail. You click a link that appears to take you to a trusted site (the security advisory uses PayPal as an example) using your default browser, Firefox. The URL in the Address bar says you’re at PayPal’s site, and the locked padlock icon in the lower right corner indicated that you’re on a secure site.
The only trouble is, you’re not at PayPal’s site. You’ve just landed at a site owned by someone who wants to steal your information, and even a careful and suspicious visitor can be fooled by this exploit. The exploit happens because of a flaw in the way these browsers handle “punycode” – links that use codepages and scripts that are similar to Latin-based characters. And the same technique could be used for any site.
A demonstration of the exploit appears here:
Don’t worry, the demo is harmless. But a scam artist who can cut and paste HTML source code can turn the landing page into an exact duplicate of PayPal’s site, or your online banking portal, or a shopping site, or anything they want. This sort of scam will fool a lot of people.
The only indication that you’re not at the correct site appears if you choose the option to use a secure logon and check the security certificate. Even then, you have to dig carefully and look past the opening page of the security dialog box, which appears to display a legitimate security dialog box.
The official security advisory is here. According to one site, there’s a manual fix you can apply to a Firefox configuration file that can block this vulnerability, but I can’t confirm that it works.
(Via Boing Boing and Discourse.net.)
Update: Edited opening paragraph to prevent confusion. See comments for details.
Ed Bott 
Did I miss something? When did Safari and Opera get to be Mozilla-based?!
Last I checked, Safari was KHTML-based (like Konqueror) and Opera was, well Opera-based.
“youre vulnerable if you use most Mozilla-based browsers, including Firefox 1.0, or Safari 1.2.5 or Opera 7.54”
Or perhaps I just mis-parsed that sentence. It IS a bit ambiguous, now that I look closer.
Perhaps something like this would work better:
“most Mozilla-based browsers (including Firefox), as well as Safari and Opera”
I did not say that Safari or Opera are Mozilla based. The original item read:
“Mozilla-based browsers, including Firefox 1.0, or Safari 1.2.5 or Opera 7.54.”
The list of Mozilla-based browsers includes a number of products, but the best known one is Firefox. This vulnerability affects ALL Mozilla-based browsers AND Safari AND Opera.
Sorry you were confused, and thanks for pointing out the possible ambiguity. I’ve edited the sentence to help other readers avoid making the same mistake.
Looking at the responses, it makes me not want to use Opera:
http://www.shmoo.com/idn/homograph.txt
Vendor Response:
Verisign: No response yet.
Apple: No response yet.
Opera: They believe they have correctly implemented IDN, and will not be
making any changes.
Mozilla: Working on finding a good long-term solution; provided clear
workaround for disabling IDN. (That workaround for the technically minded is at the URL above)
So, where’s the media coverage on this security vulnerability? Interesting that anytime IE has a major problem the media has to give it full attention and drag MS down for it.
Where’s the coverage? Right here
As described in the article, it seems to be more of a security flaw in the structure of the new international domain name system itself.
Quote:The advisory demonstrates the attack using the domain for PayPal, but using an alternate Unicode character for the first “a.” That gives an address that looks like “http://www.pàypal.com,” but with a smaller “a.”
And this was published very soon after security advisories were available from Secunia, X-Force, K-OTiK Security etc. yesterday:
http://www.theregister.co.uk/2005/02/07/browsers_idn_spoofing/
I’d still like to note that the flaw is less with the browser than with the domain system. The only reason IE is unaffected is because it doesn’t understand internationalized domains. This is like someone registering the name paypal.com (but with one or both a’s having an umulat on top) and calling it a browser security exploit.
I think the fix in this case is obvious… Paypal goes to ICANN and ask that the domains with the look-alike letters be taken down.
I’m really not sure I understand the distinction, Wes. The IDN is designed to provide a way for browsers to recognize names that contain characters from alternate character sets. If the domain name contains an accented letter A from another character set, it shouldn’t be recognized as a regular unaccented A from the Latin character set. That’s the bug in Firefox, and the fact that they’ve already checked in a fix for it suggests that they agree the problem is theirs.
As for ICANN… Phishers are hit-and-run artists. They do their work with domains they know are going to expire within 48 hours. PayPal is reporting them to legal authorities and getting the sites taken down as fast as they can. Do you think ICANN would get to them any faster?
Well, ICANN allowing the domain registration is the problem here – they don’t do their job properly.
Otherwise what is the purpose of domain registration? Why do we need an authority if it’s not to ‘protect’ users? If they don’t do any screening of domain, then we don’t need them at all and they should disappear – at least the situation will be clearer and the ball will be clearly set in the browser hand (and Opera would probably do something about it :-).
Thus, I think this phishing shows that ICANN should die, they are useless.
In the other hand why IE won’t claim loud that they have no problem with it, is just because it will be too easy to remark that the phishing does not work with IE because they don’t support IDN at all… a very bad publicity in the ever growing international world (remember than the English web is now less than half the web:-)
Maybe the people at MS have the ability to think ahead and thus have not implemented the IDN for a reason they foresaw.. duh. Oh yeah- they also have companies running mission critical software, not just geeks in their parents basements (myself included! HAHA). Anyway- everyone thinks firefox is the greatest thing now- funny no one mentions Netscape..
Firefox has a new version available for download. According to this site, Firefox users should upgrade to version 1.5.0.3
A recent Mozilla Security Bulletin explains that a possible exploit exists in Firefox version 1.5.0.2 that can cause browser crashes and run malicious code.
To obtain the latest version of Firefox visit:
http://www.mozilla.com/firefox/
[Edited to make links clickable – EB]