Modernizing Authentication — What It Takes to Transform Secure Access
A non-profit security think tank called the Shmoo Group has announced the discovery of a flaw in Firefox and other recent browsers, including Mozilla, Safari, Opera and Camino, that leaves users open to a spoofing or phishing attack. Microsoft Internet Explorer is not affected.
The Shmoo Group posted notice of the exploit on its site under the title, "0wn any domain, no defense exists."
"Want to own ANY domain? Want a trusted SSL cert for it? We 0wnz0rd PayPal, but left the rest for you. We have no idea how to fix this and neither do the browser developers," states the group's Web site.
Calling the flaw "IDN Spoofing Security Issue," security firm Secunia has labeled it moderately critical and suggests users don't follow links from un-trusted sources and manually type a URL in the address bar.
Eric Johanson of the Shmoo Group has reported and demonstrated in a proof of concept a "homograph attack" that allows a malicious Web site to spoof the actual URL that is displayed in the address bar, status bar or even an SSL certificate.
The flaw is the result of an "unintended result" of how the International Domain Name (IDN) system is implemented in the browsers. One way the flaw can be exploited is for a malicious user to register a domain name with an international character that looks like a Latin alphabet character. The address appears to be the correct address, though it is using an international character.
The concept of "Homograph attacks" is not a new one. Johanson himself cites a December 2001 research paper that describes how such an attack could occur, though he notes at that time no browser had implemented Unicode/UTF8 domain name resolution. Almost every recent browser (Firefox, Mozilla, Safari, Opera) except for Microsoft's Internet Explorer currently implements IDN and Unicode/UTF8 domain name resolution.
According to the Shmoo Group, Mozilla developers have provided a workaround for the problem, though it's unclear how successful the workaround is at this point.