Uncategorized 07 Feb 2005 12:52 am
vicious vicious browser exploit
This may be the most dramatic browser exploit I’ve ever seen. And so simple and elegant. Play with it and you’ll likely see why I turned off International Domain Name support in my browser pronto.
on 07 Feb 2005 at 8:41 am 1.Rechercher said …
So much for Firefox being more secure than IE.
on 07 Feb 2005 at 9:05 am 2.StopIE said …
Actually Firefox is still far more secure.
The only reason that this vulnerability doesn’t affect IE is that IE doesn’t follow the IDN standard at all.
It can be turned off extremely easily in Firefox:
1) type about:config in the address bar
2) disable “network.enableIDN”
on 07 Feb 2005 at 10:34 am 3.Ted said …
Is this something you need to worry about if you don’t have your own website?
on 07 Feb 2005 at 11:42 am 4.Cam said …
Yep. You’ve probably seen Josh’s explanation already, but if not, imagine that you’re a bad guy and you want to take advantage of this. What could you do?
It would be simple and effective to send out phishing email that would appear to direct people to a legitimate site but would really direct them to your own con-artist website.
Or let’s imagine that you manage to hack into a website, say, the Red Cross site. Instead of announcing “this site is pwnz0red!” you make a visually indetectible change that sends visitors to your con-artist website to make their donations. Depending on how clever you are and how careful the site administrators are, you could collect quite a bundle.
on 07 Feb 2005 at 2:11 pm 5.Ted said …
Ouch. Yeah, I’ll be disabling IDN when I get home.
on 07 Feb 2005 at 3:11 pm 6.Tungsten said …
Thank you!