[SECURITY] Fedora 28 Update: libidn-1.34-1.fc28

GNU Libidn is an implementation of the Stringprep, Punycode and IDNA specifications defined by the IETF Internationalized Domain Names IDN working group, used for internationalized domain names...

Look-Alike Domains and Visual Confusion

How good are you at telling the difference between domain names you know and trust and impostor or look-alike domains? The answer may depend on how familiar you are with the nuances of internationalized domain names IDNs, as well as which browser or Web application you're using. For example, how...

Brave Software: Bypassing Homograph Attack Using /@ [ Tested On Windows ]

Summary: Bypassing Homograph Attack Using /@ I look at on my previous report on 268984 and see patch code in the github https://github.com/brave/browser-laptop/commit/f2e438d6158fbc62e2641458b6002a72d223c366 I look at code at it'returns the punycode URL when given a valid URL', function...

Debian: Security Advisory (DLA-1084-1)

The remote host is missing an update for the Debian SPDX-FileCopyrightText: 2018 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Debian: Security Advisory (DLA-1085-1)

The remote host is missing an update for the Debian SPDX-FileCopyrightText: 2018 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

dnsquery.org XSS vulnerability

Open Bug Bounty ID: OBB-530934 Description| Value ---|--- Affected Website:| dnsquery.org Vulnerable Application:| Custom Code Vulnerability Type:| XSS Cross Site Scripting / CWE-79 CVSSv3 Score:| 6.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Disclosure Standard:| Coordinated Disclosure based ...

UBUNTU-CVE-2017-7838

Punycode format text will be displayed for entire qualified international domain names in some instances when a sub-domain triggers the punycode display instead of the primary domain being displayed in native script and the sub-domain only displaying as punycode. This could be used for limited...

CVE-2017-7833

Some Arabic and Indic vowel marker characters can be combined with Latin characters in a domain name to eclipse the non-Latin character with some font sets on the addressbar. The non-Latin character will not be visible to most viewers. This allows for domain spoofing attacks because these combine...

CVE-2017-7838

Punycode format text will be displayed for entire qualified international domain names in some instances when a sub-domain triggers the punycode display instead of the primary domain being displayed in native script and the sub-domain only displaying as punycode. This could be used for limited...

KLA11135 Multiple vulnerabilities in Mozilla Firefox and Firefox ESR

Multiple serious vulnerabilities have been found in Firefox and Firefox ESR. Malicious users can exploit these vulnerabilities to cause denial of service, bypass security restrictions, spoof user interface, perform cross-site scripting, gain privileges and execute arbitrary code. 1. A...

mozilla -- multiple vulnerabilities

Mozilla Foundation reports: CVE-2017-7828: Use-after-free of PressShell while restyling layout CVE-2017-7830: Cross-origin URL information leak through Resource Timing API CVE-2017-7831: Information disclosure of exposed properties on JavaScript proxy objects CVE-2017-7832: Domain spoofing throug...

Google Busy Removing More Malicious Chrome Extensions from Web Store

Google scrambled this week to remove a malicious Chrome extension from its store and users’ machines after a popular Twitter account disclosed the issue publicly. The incident ramped up again one day later when the developers were able to get two other shady plugins past Google’s defenses before...

HackerOne: Homograph fix Bypass

Hello Hackerone! I have possibly found a way to bypass your current Homograph Attack Fix. Lets look at two HACKERONE Redirect URL: CASE 1: https://hackerone.com/redirect?signature=829727b4188c43dcf394fd841fd19a8b7f391bd1&url=https%3A%2F%2Fwww.yelp.com%2F Got the above link generated by posting...

Brave Software: Homograph Attack Bypass [ Tested on Linux & Windows ]

Summary: at 175286 you has been patched, and i try it work, but i've another way to bypass it. when we add a site to our Homepage with @, it's not validate a url properly, make sure it's display the punycode. Products affected: Brave 0.18.36 Linux & Windows Steps To Reproduce: 1. In browser add...

Libidn2 'decode_digit' function integer overflow vulnerability

Libidn2 is a package that implements string preprocessing, Punycode, and IDNA specification definitions through the IETF International Domain Name IDN. An integer overflow vulnerability exists in the 'decodedigit' function of the punydecode.c file in Libidn2 versions prior to 2.0.4. A remote...

Quora: IDNs displayed in unicode

Hello Quora, Please refer https://en.wikipedia.org/wiki/Internationalizeddomainname to know more about IDNs. The IDN Internationalized Domain Name : http://ebаy.com/ is a homograph for the latin ebay.com. if you click that first link, you might think that you are going to ebay.com but in fact, yo...

IDN Homograph Attack Spreading Betabot Backdoor

An IDN homograph attack leveraging Adobe’s brand has been discovered, with the malicious site spreading the Betabot backdoor and ultimately infecting compromised machines with cryptocurrency-mining and data-stealing malware. Attacks using internationalized domain name homographs rely on users...

Debian DLA-1084-1 : libidn security update

It was discovered that there was an integer overflow vulnerability in libidn's Punycode handling an encoding used to convert Unicode characters to ASCII which would have allowed remote attackers to cause a denial of service. For Debian 7 'Wheezy', this issue has been fixed in libidn version...

Debian DLA-1085-1 : libidn2-0 security update

It was discovered that there was an integer overflow vulnerability in libidn2-0's Punycode handling an encoding used to convert Unicode characters to ASCII which would have allowed attackers to cause a remote denial of service. For Debian 7 'Wheezy', this issue has been fixed in libidn2-0 version...

Legal Robot: Homograph IDNs displayed in Description

The IDN: http://ebаy.com/ is a homograph for the latin ebay.com. if you copy and paste a link, you might think that you are going to ebay.com. in fact, you are going to a homograph url http://xn--eby-7cd.com/ it would be safer to show the punycode version of the url so that it would be apparent...