Google Fixes Unicode Phishing Vulnerability in Chrome 58, Firefox Stands Pat

Google fixed a handful of issues when it released the latest version of its browser, Chrome 58, on Wednesday, including a vulnerability that could have made it easier for an attacker to carry out a phishing attack with Unicode domains. The vulnerability, based on Punycode – a way to represent...

Whole-script confusable domain label spoofing

Posted by Xudong Zheng Before I explain the details of the vulnerability, you should take a look at the proof-of-concept. Punycode makes it possible to register domains with foreign characters. It works by converting individual domain label to an alternative format using only ASCII characters. Fo...

This Phishing Attack is Almost Impossible to Detect On Chrome, Firefox and Opera

A Chinese infosec researcher has reported about an "almost impossible to detect" phishing attack that can be used to trick even the most careful users on the Internet. He warned, hackers can use a known vulnerability in the Chrome, Firefox and Opera web browsers to display their fake domain names...

Brave Software: homograph-attack (unicode vuln)

Hi team Summary: Affacted product appears identicaly different websites domains attacker uses unicode to register domains that look identical to real domains ,These fake domains can be used to fool users into signing into a fake website, thereby handing over their login credentials to an...

Mozilla: Location bar spoofing with unicode characters (MFSA 2017-02)

URLs containing certain unicode glyphs for alternative hyphens and quotes do not properly trigger punycode display, allowing for domain name spoofing attacks in the location bar. This vulnerability affects Thunderbird 45.7, Firefox ESR 45.7, and Firefox 51...

Mozilla: Location bar spoofing with unicode characters (MFSA 2017-02)

URLs containing certain unicode glyphs for alternative hyphens and quotes do not properly trigger punycode display, allowing for domain name spoofing attacks in the location bar. This vulnerability affects Thunderbird 45.7, Firefox ESR 45.7, and Firefox 51...

CVE-2017-5383

URLs containing certain unicode glyphs for alternative hyphens and quotes do not properly trigger punycode display, allowing for domain name spoofing attacks in the location bar. This vulnerability affects Thunderbird 45.7, Firefox ESR 45.7, and Firefox 51...

CVE-2017-5383

URLs containing certain unicode glyphs for alternative hyphens and quotes do not properly trigger punycode display, allowing for domain name spoofing attacks in the location bar. This vulnerability affects Thunderbird 45.7, Firefox ESR 45.7, and Firefox 51...

Brave Software: Homograph attack

Summary: when we add a site to our Homepage, it's not validate a url properly, make sure it's display the punycode. Products affected: Brave 0.12.4 Tested on mac os Steps To Reproduce: In browser add homepage with IDN http://ebаy.com/ now close and open browser again you can see it's redirect to...

[SECURITY] Fedora 25 Update: mingw-libidn-1.33-1.fc25

GNU Libidn is an implementation of the Stringprep, Punycode and IDNA specifications defined by the IETF Internationalized Domain Names IDN working group, used for internationalized domain names...

Yelp: IDNs displayed in unicode in messages/about/talk sections (Homograph Attack)

Hello Yelp, Please refer https://en.wikipedia.org/wiki/Internationalizeddomainname to know more about IDNs. The IDN Internationalized Domain Name : http://ebаy.com/ is a homograph for the latin ebay.com. if you click that first link, you might think that you are going to ebay.com but in fact, you...

[SECURITY] Fedora 23 Update: libidn-1.33-1.fc23

GNU Libidn is an implementation of the Stringprep, Punycode and IDNA specifications defined by the IETF Internationalized Domain Names IDN working group, used for internationalized domain names...

[SECURITY] Fedora 24 Update: libidn-1.33-1.fc24

GNU Libidn is an implementation of the Stringprep, Punycode and IDNA specifications defined by the IETF Internationalized Domain Names IDN working group, used for internationalized domain names...

[SECURITY] Fedora 22 Update: libidn-1.31-1.fc22

GNU Libidn is an implementation of the Stringprep, Punycode and IDNA specifications defined by the IETF Internationalized Domain Names IDN working group, used for internationalized domain names...

[SECURITY] Fedora 21 Update: libidn-1.31-1.fc21

GNU Libidn is an implementation of the Stringprep, Punycode and IDNA specifications defined by the IETF Internationalized Domain Names IDN working group, used for internationalized domain names...

HackerOne: Homograph Attack

Hello HackerOne, Fix of Report 29491 and 58612 is incomplete. I found another way to to replicate homograph attack using Hex Code: www.%00ebаy.com www.%01ebаy.com www.%02ebаy.com www.%03ebаy.com www.%04ebаy.com www.%05ebаy.com www.%06ebаy.com www.%07ebаy.com www.%08ebаy.com www.%0Bebаy.com...

HackerOne: Homograph attack

Hello! I would like to report that fix of report 29491 is incomplete. There is another way to reproduce homograph attack: or IDNs are displayed in unicode and there is no encoding into Punycode on external link warning page Thanks! - Matvejs...

SOL16472 - glibc vulnerability CVE-2013-7424

Vulnerability Recommended Actions If you are running a version listed in the Versions known to be vulnerable column, you can eliminate this vulnerability by upgrading to a version listed in the Versions known to be not vulnerable column. If the table lists only an older version than what you are...

HackerOne: homograph attack. IDNs displayed in unicode in bug reports and on external link warning page

the IDN: http://ebаy.com/ is a homograph for the latin ebay.com. if you click that first link, youm might think that you are going to ebay.com. in fact, you are going to a homograph url http://xn--eby-7cd.com/ more info http://www.chromium.org/developers/design-documents/idn-in-google-chrome more...

PHP IDNA Convert 0.8.0 Cross Site Scripting Vulnerability

Cross-site scripting XSS vulnerability in parameters encoded/decoded in the class PHP IDNA Convert allows remote attackers to inject arbitrary web script or HTML. PHP IDNA Convert Cross-site scripting XSS Vendor product description PHP NetIDNA is a class to convert between the Punycode and Unicod...