Spoofing Flaw Found in Non IE Browsers

36 Comments

At a convention of hackers on the East Coast over the weekend, a security flaw was reported in non-Microsoft browsers that could allow someone to spoof the Web site of a real company simply by adding code to a link.

The ASCII coding is used by computers to translate a numerical code into an alphabetical letter. In the case of domain names, it is being used for the International Domain Name (IDN) specification in order to allow domains to be typed with country-specific characters such as the Spanish "ñ" or German "ü."

To support non-standard letters, the URL is changed into a special coding that the browser can understand - and that's where the problem occurs. The group that discovered the issue offered one example, shown on its Web site, which spoofs the URL for the PayPal service.

The link is translated into the code, which looks like p& #1072;ypal.com. The coding is the translation of the letter "a," however browsers that translate the code to use the international characters will mistakenly load up the URL: xn--pypal-4ve.com.

With phishing scams on the rise, banks and services such as PayPal have endeavored to protect users by instructing them to make sure the Web addresses they visit are legitimate before inputting sensitive information. But this flaw means Web browsers will appear to load a proper site, while in actuality taking users to a different location.

The group said the problem affects all non-Microsoft browsers, as they support the IDN standard. Internet Explorer does not natively support IDN at the current time unless a plug-in is installed.

Because the flaw lies in the basic implementation of IDN, it's unclear how browser vendors will protect their users. Mozilla developers say they are working on a long-term solution to the issue, and in the meantime will instruct users on disabling IDN support.

Opera on the other hand, says it has correctly implemented the specification and will not be making any changes. Apple and VeriSign, which championed IDN, have not responded to the problem.

36 Comments

36 Responses to Spoofing Flaw Found in Non IE Browsers

Got News? Contact Us

Recent Headlines

Firefox Nightly expands to Linux on ARM64

How writing zip support for Windows almost cost its creator his job at Microsoft

Apple AirPlay comes to IHG Hotels and Resorts

Millennials are key targets for phishing

Get 'Applied Machine Learning and AI for Engineers' (worth $67.99) for FREE

Best Windows apps this week

The dynamics of modern Windows device management [Q&A]

Most Commented Stories

Say goodbye to Microsoft Windows 11 and hello to Nitrux Linux 3.4.0 'pl'

61 Comments

Windows 11 slammed for its 'comically bad' performance even on high-end hardware

18 Comments

Outrageous: Microsoft to charge $61 for Windows 10 updates -- consider switching to Linux!

17 Comments

Microsoft 'improves' Windows 11 by bringing ads to the Start menu in the US

16 Comments

Microsoft is up to its old tricks yet again -- Windows 10 users harassed with full-screen Windows 11 upgrade warnings

16 Comments

The stunning Windows 13 -- yes, 13! -- is the Microsoft operating system we want

14 Comments

Easter giveaway! Get a licensed copy of 'VideoProc Converter for Windows/Mac' (worth $78.90) for FREE

10 Comments

EndeavourOS ARM discontinued: A huge loss for the Linux community

9 Comments

© 1998-2024 BetaNews, Inc. All Rights Reserved. Privacy Policy - Cookie Policy.