mailing list archives
Re: Apple Safari: idn urlbar spoofing
From: Robert Swiecki <jagger () swiecki net>
Date: Mon, 25 Jun 2007 22:33:19 +0200
With a specially crafted web page, an attacker can redirect
a www browser to the page, which URL (on the address bar) resembles an
arbitrary domain choosen by the attacker.
It is possible due to the fact, that apple safari supports
IDNs - http://en.wikipedia.org/wiki/Internationalized_domain_name -
and some of the UTF8 font glyphs embedded in the safari, could be used
to create an URL which contains whitespaces.
The picture taken on my system:
Tested with Apple Safari 3.0.2 (522.13.1) on MS Windows 2003 SE SP2
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/