Allvarligt säkerhetshål i Safari, Firefox låter hackare ta över vilken sajt som helst

Tråden skapades och har fått 4 svar. Det senaste inlägget skrevs .

Det finns ett allvarligt säkerhetshål i de flesta webbläsare förutom IE (snacka om ironi) som låter hackare ta över vilken domän som helst, även så kallade säkra, SSL-kopplade, sidor.

Hacket demonstrerades nyligen av The Shmoo Group och Boing Boing skriver om det:

Shmoo Group exploit: 0wn any domain, no defense exists
Pablos sez, "Shmoocon ended today. And just to prove The Shmoo Group wasn't sitting on their asses for the entire time while planning the con - A new exploit was demo'd by EricJ that left all jaws our on the floor. Want to own ANY domain? Want a trusted SSL cert for it? Check it out here. We 0wnz0rd PayPal, but left the rest for you. We have no idea how to fix this and neither do the browser developers. Official advisory here. Phishing attacks of doom coming soon."

Testa hacket på PayPal själv i Firefox eller Safari:

I artikeln från Boing Boing finns även tips på hur man skyddar sig i Firefox:

Update: Chris Smith sez,
1) Goto your Firefox address bar. Enter about:config and press enter. Firefox will load the (large!) config page.

2) Scroll down to the line beginning network.enableIDN -- this is International Domain Name support, and it is causing the problem here. We want to turn this off -- for now. Ideally we want to support international domain names, but not with this problem.

3) Double-click the network.enableIDN label, and Firefox will show a dialog set to 'true'. Change it to 'false' (no quotes!), click Ok. You are done.

4) Go check out the shmoo demo again and notice it no longer works.

Det går alltså att skydda sig i Firefox, men inte Safari. Apple behöver snabbt komma ut med ett skydd för Safari nu. För detta är ett högst allvarligt säkerhetshål.

[Via [url=""][/url]]

Siten verkar vara nera, du har möjligen inte txt (advisoriet) filen cachat? Skulle vilja veta lite mer om de tekniska detaljerna, boingboing var lite sparsamt på det, men det verkar som är det IDN relaterat, enligt "fixen"?

För mig fungerar länken, men jag kan posta text-filen här:

The state of homograph attacks

I. Background

International Domain Name [IDN] support in modern browsers allows attackers to
spoof domain name URLs + SSL certs.

II. Description

In December 2001, a paper was released describing Homograph attacks [1]. This
new attack allows an attacker/phisher to spoof the domain/URLs of businesses.
At the time this paper was written, no browsers had implemented Unicode/UTF8
domain name resolution.

Fast forward to today: Verisign has championed International Domain Names
(IDN) [2]. RACES has been replaced with PUNYCODE [3]. Every recent
gecko/khtml based browser implements IDN (which is just about every browser
except for IE; plug-in are available [5]).

III. The details

Proof of concept URL:

Clicking on any of the two links in the above webpage using anything but IE
should result in a spoofed webpage.

The links are directed at "http://www.pа", which the browsers
punycode handlers render as

This is one example URL - - there are now many ways to display any domain name
on a browser, as there are a huge number of codepages/scripts which look very
similar to latin charsets.

Phishing attacks are the largest growing class of attacks on the internet
today. I find it amusing that one of the large early adopters of IDN offer an
'Anti-Phishing Solution' [6].

Finally, as a business trying to protect their identity, IDN makes their life
very difficult. It is expected there will be many domain name related
conflicts related to IDN.

Vulnerable browsers include (but are not limited to):

Most mozilla-based browsers (Firefox 1.0, Camino .8.5, Mozilla 1.6, etc)
Safari 1.2.5
Opera 7.54
Omniweb 5

Other comment:

There are some inconsistencies with how the browsers match the host name
with the Common Name (CN) in the SSL cert. Most browsers seem to match the
punycode encoded hostname with the CN, yet a few (try to) match the raw UTF8
with the CN. In practice, this makes it impossible to provide 'SSL' services
effectively, ignoring the fact that IE doesn't yet support them.

IV. Detection

There are a few methods to detect that you are under a spoof attack. One
method is to cut & paste the url you are accessing into notepad or some other
tool (under OSX, paste into a terminal window) which will allow you to view
what character set/pagecode the string is in. You can also view the details
the SSL cert, to see if it's using a punycode wrapped version of the domain
(starting with the string 'xn-'.

V. Workaround

You can disable IDN support in mozilla products by setting 'network.enableIDN'
to false. There is no workaround known for Opera or Safari.

VI. Vendor Responses

Verisign: No response yet.
Apple: No response yet.
Opera: They believe they have correctly implemented IDN, and will not be
making any changes.
Mozilla: Working on finding a good long-term solution; provided clear
workaround for disabling IDN.

VII. Timeline

2002 - Original paper published on homograph attacks
2002-2005 - Verisign pushes IDN, and browsers start adding support for it
Jan 19, 2005 - Vendors notified of vulnerability
Feb 6, 2005 - Public disclosure @shmoocon 2005

VIII. Copyright

This paper is copyright 2005, Eric Johanson

Assistance provided by:
- The Shmoo Group
- The Ghetto Hackers

Thank you, you know who you are.



  • Oregistrerad
  • 2005-02-07 12:34

Hur vanligt är ACE för IDN?
För det var väl där certen missade...
(Säger väl mer om cert egentligen?)

Lite mera info om detta: MacNytt hade en artikel igår och Ben Goodger har kommenterat det.

Bevaka tråden