Lab Notes

The Shmoo Group has discovered a gaping security hole in browsers that support UTF-8 encoded domain names. This allows an attacker to spoof a legitimate website, and could lead even savvy web users to fall prey to phishing scams.

In a nutshell, the attack uses a specially formatted URL to direct the user to the attacker's page while displaying a different, legitimate-looking URL in the browser's URL field.

An example attack is given that sends users to what is apparently PayPal's site (at least, the browser says "www.paypal.com"), but is really the group's own, fake site.

The UTF-8 hole is a result of the fact that International Domain Names (IDN) will be resolved differently then they will be rendered visible to the user. The PayPal attack works because the name used, "www.pаypal.com", will be converted to "www.xn--pypal-4ve.com" before being resolved, while it will be converted to "www.paypal.com" before being displayed in the brower's URL field. The first 'a' in paypal is actually the unicode character #1072, which looks like an 'a' when displayed in most fonts. The Shmoo folks registered the "www.xn--pypal-4ve.com" name and now host their "PayPal" site there.

It gets worse: UserTrust issued an SSL certificate to the false website, so when you connect via HTTPS, the certificate checks out. It looks exactly as if you had connected to the secure version of PayPal's site.

Ironically, the fact that Internet Explorer has not had an update in a long while means that it does not support IDN, and thus is not vulnerable to this exploit.

This is an extremely serious break, and I'm sure that Apple and the Mozilla engineers are working on a fix as I write this.