Firefox security vulnerability

There’s a Phishing technique in play now where crooks register international domain names with special characters that *look* like letters but are really not what they seem.

Its so popular for everyone to complain about Microsoft security problems. Interestingly, this bug is present in Firefox and NOT in Internet Explorer. Firefox fans would probably say, “its just because Microsoft doesn’t support the latest standards for international domain names”. Perhaps that is true, but at the end of the day, this is a bug in Firefox, and not IE.

The problem lies with Unicode. In the early 90s, you couldn’t use two character sets at the same time. If you were working in both Japanese and Chinese, you had to pick one character set to use at a time, which made it very tricky to use applications in multiple languages. Unicode was invented to solve this problem. Unicode defines basically all characters, in all languages, and has worked very well. It also, however, unleashes this particular bug. For instance, the letter “a”, has a unicode value. However, it turns out that unicode character &#1072, also LOOKS like “a”, but is really a different character.

This allows the bad guys to create Urls like this one:

To the user, this looks like a real link to paypal. But its NOT. Its a fake. Go ahead, and test your browser. If you are using IE, you’ll see a page-not-found error. If you see a page, then your browser is vulnerable.

I hope that the domain registrars jump in to help fix this. Seems like we should be able to pretty easily spot bogus domain name registrations. There are probably a lot of combinations of forged addresses, but it should be detectable and prohibited from the root.