The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Vulnerability of Chrome, Firefox: site spoofing via homographs

Synthesis of the vulnerability

An attacker can use a url with Unicode characters looking like ASCII characters, in order to deceive the victim.
Severity of this bulletin: 2/4.
Creation date: 18/04/2017.
Références of this threat: 1332714, CVE-2017-5090, VIGILANCE-VUL-22467.

Description of the vulnerability

Several Unicode characters (such as U+0430) look like the ASCII 'a' character. Some attackers use domain names containing these variants, in order to invite the victim to click on a link.

This type of attack, based on homographs, was already described in several bulletins (VIGILANCE-VUL-4729 and VIGILANCE-VUL-8497). Fixes are applied in most software.

However, when the name is only composed of Unicode characters, the Chrome and Firefox protections are bypassed. For example, https://xn--e1awd7f.com/ is displayed as https://www.epic.com/. Moreover, as a valid certificate for this domain can be obtained via Let's Encrypt, an attacker can easily spoof a TLS site.

An attacker can therefore use a url with Unicode characters looking like ASCII characters, in order to deceive the victim.
Full Vigil@nce bulletin... (Free trial)

This computer threat bulletin impacts software or systems such as Chrome, Firefox, SeaMonkey, Opera.

Our Vigil@nce team determined that the severity of this security threat is medium.

The trust level is of type confirmed by the editor, with an origin of document.

A proof of concept or an attack tool is available, so your teams have to process this alert. An attacker with a technician ability can exploit this computer vulnerability alert.

Solutions for this threat

Chrome: version 59.
The version 59 is probably fixed:
  https://www.google.fr/chrome/browser/desktop/
The version 59 was released but its changelog does not explicitely mention this issue.

Firefox: workaround for homographs.
A workaround is to set "network.IDN_show_punycode" to "true" in about:config.
Unicode domain names will then be displayed as https://www.xn--[...].com/

Opera: version 44.0.2510.1449.
The version 44.0.2510.1449 is fixed:
  https://net.geo.opera.com/opera/stable?utm_medium=sm&utm_source=desktop_blog&utm_campaign=stable
Full Vigil@nce bulletin... (Free trial)

Computer vulnerabilities tracking service

Vigil@nce provides a network vulnerability announce. The technology watch team tracks security threats targeting the computer system.