Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: state of homograph attacks
From: Simon Roberts <thorpflyer () yahoo com>
Date: Sun, 6 Feb 2005 19:49:09 -0800 (PST)

FYI, in case anyone hadn't worked it out yet, the
provided demo works against Konqueror 3.2.1 on KDE
3.2.1 on Suse Linux too.

Pasting the given URL into vi doesn't show the
problem, but view page source (which brings up the
page in KWrite) and "od -xc" do expose the attack.


--- fulldisclosure () cubesearch com wrote:

The state of homograph attacks

I.    Background

International Domain Name [IDN] support in modern
browsers allows 
attackers to spoof domain name URLs + SSL certs.

II.   Description

In December 2001, a paper was released describing
Homograph attacks [1]. 
This new attack allows an attacker/phisher to spoof
the domain/URLs of 
businesses. At the time this paper was written, no
browsers had 
implemented Unicode/UTF8 domain name resolution.

Fast forward to today:  Verisign has championed
International Domain Names 
(IDN) [2].  RACES has been replaced with PUNYCODE
[3].  Every recent 
gecko/khtml based browser implements IDN (which is
just about every 
browser [4] except for IE; plug-in are available

III.  The details

Proof of concept URL:


Clicking on any of the two links in the above
webpage using anything but 
IE should result in a spoofed paypal.com webpage.

The links are directed at
"http://www.p?ypal.com/";, which the 
browsers punycode handlers render as

This is one example URL - - there are now many ways
to display any domain 
name on a browser, as there are a huge number of
codepages/scripts which 
look very similar to latin charsets.

Phishing attacks are the largest growing class of
attacks on the internet 
today.  I find it amusing that one of the large
early adopters of IDN 
offer an 'Anti-Phishing Solution' [6].

Finally, as a business trying to protect their
identity, IDN makes their 
life very difficult.  It is expected there will be
many domain name 
related conflicts related to IDN.

Vulnerable browsers include (but are not limited

Most mozilla-based browsers (Firefox 1.0, Camino
.8.5, Mozilla 1.6, etc)
Safari 1.2.5
Opera 7.54
Omniweb 5

Other comment:

There are some inconsistencies with how the browsers
match the host name 
with the Common Name (CN) in the SSL cert.  Most
browsers seem to match 
the punycode encoded hostname with the CN, yet a few
(try to) match the 
raw UTF8 with the CN.  In practice, this makes it
impossible to provide 
'SSL' services effectively, ignoring the fact that
IE doesn't yet support 

IV.   Detection

There are a few methods to detect that you are under
a spoof attack.  One 
easy method is to cut & paste the url you are
accessing into notepad or 
some other tool (under OSX, paste into a terminal
window) which will allow 
you to view what character set/pagecode the string
is in.  You can also 
view the details of the SSL cert, to see if it's
using a punycode wrapped 
version of the domain (starting with the string

V.    Workaround

You can disable IDN support in mozilla products by
'network.enableIDN' to false.  There is no
workaround known for Opera or 

VI.   Vendor Responses

Verisign: No response yet.
Apple:  No response yet.
Opera:  They believe they have correctly implemented
IDN, and will not be
making any changes.
Mozilla:  Working on finding a good long-term
solution; provided clear
workaround for disabling IDN.

VII.  Timeline

2002 - Original paper published on homograph attacks
2002-2005 - Verisign pushes IDN, and browsers start
adding support for it
Jan 19, 2005 - Vendors notified of vulnerability
Feb 6, 2005 - Public disclosure @shmoocon 2005

VIII. Copyright

This paper is copyright 2005, Eric Johanson 
ericj () shmoo com

Assistance provided by:
- The Shmoo Group
- The Ghetto Hackers

Thank you, you know who you are.





[3] http://mct.verisign-grs.com/index.shtml


[5] http://www.idnnow.com/index.jsp


Full-Disclosure - We believe in it.

Do you Yahoo!? 
Yahoo! Mail - 250MB free storage. Do more. Manage less. 
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]