New Browser Phishing Exploits
<div class="IPBDescription">All browsers except IE... sorta</div> <!--QuoteBegin--></div><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td><b>QUOTE</b> </td></tr><tr><td id='QUOTE'><!--QuoteEBegin-->East coast hacker con Shmoocon ended today and they had a nasty browser exploit to show off... using International Domain Name (IDN) character support to display fake domain names in links and the address bar. Their examples use Paypal (with SSL too) and this looks very useful for phishing attacks. Interesting note that it works in every browser *except* IE (which makes this exploit a lot less dangerous in the end, I suppose).<!--QuoteEnd--></td></tr></table><div class='postcolor'><!--QuoteEEnd-->
--slashdot
You can test the exploit <a href='http://www.shmoo.com/idn/' target='_blank'>here</a>.
As far as I can tell, any browser using IDN is vulnerable. IE is (just about) the only browser that doesn't use IDN by default so it is, surprisingly, not vulnerable (by default).
Coincidentally, a bug in firefox (bug 281377, I belive) makes setting network.enableIDN to false in the about:config not work after a restart (works until then though). But hey, you can always use Microsoft's recommended method of typing in the address manually when you go to important sites (like paypal). Hopefully this will be dealt with shortly.
--slashdot
You can test the exploit <a href='http://www.shmoo.com/idn/' target='_blank'>here</a>.
As far as I can tell, any browser using IDN is vulnerable. IE is (just about) the only browser that doesn't use IDN by default so it is, surprisingly, not vulnerable (by default).
Coincidentally, a bug in firefox (bug 281377, I belive) makes setting network.enableIDN to false in the about:config not work after a restart (works until then though). But hey, you can always use Microsoft's recommended method of typing in the address manually when you go to important sites (like paypal). Hopefully this will be dealt with shortly.
Comments
I believe in the one!1111
long live firefox
it will be fixed asap unlike, IE which will take till the next sp update which is like 2 years or a new version of micrcrap
Remember, IE is only not-vulnerable to this particular exploit because they, unsurprisingly, ignore the standard. This time it has worked in their favor.
<!--emo&???--><img src='http://www.unknownworlds.com/forums/html/emoticons/confused-fix.gif' border='0' style='vertical-align:middle' alt='confused-fix.gif' /><!--endemo-->
<!--emo&:p--><img src='http://www.unknownworlds.com/forums/html/emoticons/tounge.gif' border='0' style='vertical-align:middle' alt='tounge.gif' /><!--endemo--> j/p
Remember, IE is only not-vulnerable to this particular exploit because they, unsurprisingly, ignore the standard. This time it has worked in their favor. <!--QuoteEnd--> </td></tr></table><div class='postcolor'> <!--QuoteEEnd-->
Yes.
Remember, IE is only not-vulnerable to this particular exploit because they, unsurprisingly, ignore the standard. This time it has worked in their favor. <!--QuoteEnd--></td></tr></table><div class='postcolor'><!--QuoteEEnd-->
Yes. <!--QuoteEnd--> </td></tr></table><div class='postcolor'> <!--QuoteEEnd-->
You win <!--emo&:p--><img src='http://www.unknownworlds.com/forums/html/emoticons/tounge.gif' border='0' style='vertical-align:middle' alt='tounge.gif' /><!--endemo-->
Hopefully it won't do too much damage. And hopefully there will be a fix later tonight, but if not its good to let people know about this, especially when its possible to rip someone's bank account off.
I wouldn't be suprised if some paypal phishing sites crop up very soon using this exploit because while yes it won't work on IE, there are tons of phishing sites anyway that don't even use this IDN stuff and they, unfortunately, work just fine, so they'll probably just add IDN in hopes of snaring that rising 15% or whatever of browser users using FireFox
<!--QuoteEnd--> </td></tr></table><div class='postcolor'> <!--QuoteEEnd-->
YOU SAW IT EARLIER AND DIDNT POST ABOUT??!?!??!?!!?
I commend you.
Still less holes than IE tho, giving us an edge most of the time.
Still eep.
Firefox wins, again XD
Firefox wins, again XD <!--QuoteEnd--> </td></tr></table><div class='postcolor'> <!--QuoteEEnd-->
qft
The what now?
Still less holes than IE tho, giving us an edge most of the time.
Still eep. <!--QuoteEnd--> </td></tr></table><div class='postcolor'> <!--QuoteEEnd-->
No, it has just as many holes as IE. Its just that people are more dedicated to finding the holes in IE, because thats what the majority of people use.
Still less holes than IE tho, giving us an edge most of the time.
Still eep. <!--QuoteEnd--></td></tr></table><div class='postcolor'><!--QuoteEEnd-->
No, it has just as many holes as IE. Its just that people are more dedicated to finding the holes in IE, because thats what the majority of people use. <!--QuoteEnd--> </td></tr></table><div class='postcolor'> <!--QuoteEEnd-->
Not true, firefox doesnt load active-x objects too much.
If thats true then IE must be Internet Exploiter <!--emo&::nerdy::--><img src='http://www.unknownworlds.com/forums/html/emoticons/nerd-fix.gif' border='0' style='vertical-align:middle' alt='nerd-fix.gif' /><!--endemo-->
The what now? <!--QuoteEnd--> </td></tr></table><div class='postcolor'> <!--QuoteEEnd-->
In case you're curious about what I'm talking about, here's an explanation:
When you visit a site using a secure (anything with https://...) connection, which you should, if you're sending private data, you're encrypting all your communications. But since anyone can set up their own secure webserver, you still need to verify the identity of the server. This is where certificates comes in.
Part of the authentication process involves public key encryption, where everyone can encrypt data with it, but only the person(s) with the related private key can read it. Getting the private key from the public key is VERY difficult, doing the opposite is quite easy. Each https webserver has their own public/private key, and duplicating someone else's key is very difficult.
In order to verify the identity of the owner of a key, it has to be "signed" by a certificate authority that you trust. The certificate contains the key of the server, as well as a digital signature of the key, which can only come from the certificate authority (digital signatures also involves public/private keys so certificates are also difficult to forge).
If you were to view the certificate (usually by viewing page settings or sometimes by clicking on the lock icon that appears on a secure site), then you can view the details about the certificate, including who issued it (it should be a major company like verisign), who it's issued for and when it expires. This is the way you are supposed to identify a website. In this case (if you visit the https version), the site that the certificate is issued for is NOT the site you think it is, which should signal that something's wrong.
Look like a temp fix is already available.
about:config
network.enableIDN > false
<b>EDIT</b>: Bah, this only works until the browser is restarted. Nevermind. We'll have to wait for the fix from Mozilla.
Although, it should be noted this error seems to be an issue with IDN, and not Firefox. Firefox is properly designed, but the IDN standard isn't (at least, according to Slashdot, but they're not known for being objective). This phisher affects the "smaller" browsers because they support multi-lingual IDN, while Internet Explorer doesn't support multi-lingual IDN.
<a href='http://forums.mozillazine.org/viewtopic.php?t=215178' target='_blank'>http://forums.mozillazine.org/viewtopic.php?t=215178</a>
Just don't add any new extensions until it's fixed properly.
<!--c1--></div><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td><b>CODE</b> </td></tr><tr><td id='CODE'><!--ec1-->user_pref("network.enableIDN", false);<!--c2--></td></tr></table><div class='postcolor'><!--ec2--> to user.js wouldn't work? That'd set the setting to false every browser startup...
[edit]
Nevermind. It seems that even though it retains the 'false' setting it isn't actually making it false, as the exploit still works...
[/edit]
If you're already at that point why not just type the URL into the current browser?
BTW, Kalias's solution does in fact work.