New Browser flaw

Technical Questions & Discussions about Computers, IT & electronics.
Post Reply
User avatar
BobHelm
udonmap.com
Posts: 17442
Joined: September 7, 2005, 11:58 pm
Location: Udon Thani

New Browser flaw

Post by BobHelm » April 19, 2017, 7:50 am

There are reports of a Browser flaw that is/was effecting all the major browsers.

Chrome & Firefox have yet to release a fix but it is quite easy to do a manual fix in Firefox to eliminate it.

The flaw is centered on Punnycode.
https://en.wikipedia.org/wiki/Punycode

Using it a hacker can create an alternative web site that looks exactly like an original official web site with no indication by the browser that you are actually not on the official site. Usernames & passwords used to access that site can then be captured by the hacker.
It is, obviously, a fair bit of work on the part of the hacker to replicate the official site, but rewarding if they do get hits.

To remove the problem in Firefox do the following..

Type
about:config
in the address bar & approve the 'here be dragons' warning message.
Search for
punycode
the line
network.IDN_show_punycode
will appear with a Value of False
Right mouse click on this line & select Toggle
The value will change from False to True

Security firm Wordfence set up a dummy site to prove the flaw..
https://www.wordfence.com/blog/2017/04/ ... -phishing/

With punycode set to False this is what the URL of their dummy site looks like in Firefox
epic 1.png
epic 1.png (4.02 KiB) Viewed 654 times
Once punycode is set to True the real URL of the site is revealed..
epic 2.png
epic 2.png (4.99 KiB) Viewed 654 times

User avatar
Udon Map
Admin
Posts: 872
Joined: July 31, 2013, 7:57 pm

Re: New Browser flaw

Post by Udon Map » April 19, 2017, 11:23 am

Is there a way to do that in Chrome so that you always see the real URL instead of the abbreviated one?

User avatar
BobHelm
udonmap.com
Posts: 17442
Joined: September 7, 2005, 11:58 pm
Location: Udon Thani

Re: New Browser flaw

Post by BobHelm » April 19, 2017, 12:34 pm

Google say v59 will stop this type of attack..
in the meantime maybe this extension..

PunyCode Domain Detection

I have not tried that though as I normally use Firefox..

User avatar
tamada
udonmap.com
Posts: 1396
Joined: February 21, 2007, 4:03 am
Location: down two... then left

Re: New Browser flaw

Post by tamada » April 21, 2017, 10:55 am

Just did the FF fix.

Checked Chrome which was running v57 and it just updated itself to v58.

User avatar
Neil_Hines
New Member
Posts: 7
Joined: April 26, 2017, 5:29 pm

Re: New Browser flaw

Post by Neil_Hines » April 26, 2017, 5:41 pm

Which Browser can I use Chrome or Firefox? Any suggestion which one is the best?

User avatar
vidmaster
udonmap.com
Posts: 342
Joined: August 18, 2013, 3:15 am

Re: New Browser flaw

Post by vidmaster » April 27, 2017, 10:35 pm

Bob searched but can't find punnycode
Is it embedded in a string of words or on its own as cant find alphabetically

User avatar
vidmaster
udonmap.com
Posts: 342
Joined: August 18, 2013, 3:15 am

Re: New Browser flaw

Post by vidmaster » April 27, 2017, 10:40 pm

Hi Bob found it & now set to True
Does that mean I'm now safe to browse?
How can I see the URL NN-e1 etc.......?

User avatar
vidmaster
udonmap.com
Posts: 342
Joined: August 18, 2013, 3:15 am

Re: New Browser flaw

Post by vidmaster » April 27, 2017, 10:42 pm

Sorry xn--e1a etc?

User avatar
BobHelm
udonmap.com
Posts: 17442
Joined: September 7, 2005, 11:58 pm
Location: Udon Thani

Re: New Browser flaw

Post by BobHelm » April 28, 2017, 6:53 am

Any site you visit will now show its' actual URL code in the browser bar.
So if you are in HSBC web site (for example) it will say that. A false site set up to resemble the HSBC web site using Punycode will now show its' actual URL in the address bar.

To see that in action go to the
https://www.xn--e1awd7f.com/
URL.

If you have not set punycode to = True then the address in the browser will appear to be
https://www.epic.com
If you have set punycode to = True then it will show its' true address, which is
https://www.xn--e1awd7f.com/

User avatar
vidmaster
udonmap.com
Posts: 342
Joined: August 18, 2013, 3:15 am

Re: New Browser flaw

Post by vidmaster » April 28, 2017, 1:14 pm

Many thanks Bob

Post Reply

Return to “Computers, IT & Electronics”

Who is online

Users browsing this forum: No registered users and 1 guest