Posted on 02/07/2005 11:29:30 AM PST by KwasiOwusu
All non-Microsoft browers include a flaw that allows URL spoofing using Unicode characters, which can be exploited by phishing scams seeking to steal login information for online banking accounts. The spoofing flaw, which is demonstrated on the web site of the Shmoo Group, works in the Firefox, Mozilla and Opera browsers, as well as the Safari browser for Macs.
The spoof exploits flaws in how the browsers interpret Unicode characters. A link using Unicode characters to replace the letter "a" in "Paypal" will display as www.paypal.com in the browser, but send users to www.xn--pypal-4ve.com - which then displays "www.paypal.com" in its address bar. A similar spoof works on SSL-enabled URLs (https) commonly used on banking and e-commerce sites.
Unicode is a broader character set that includes non-English characters as well as symbols, which is being used on the Internet to support Internationalized Domain Names (IDN). The affected browsers support IDN, while Microsoft's Internet Explorer does not.
(Excerpt) Read more at news.netcraft.com ...
The article says Macs are vulnerable. What part of the Mac OS did Microsoft write?
I guess code writing is like speaking in tongues. I'm always surprised that wankers can spoof, snurf, smurf PC's to get them to do just about anything other than what they're supposed to do.
linux-loving characters will be saying that this is nothing but Microsoft putting out bogus press releases!
What they normally do is spoof the e-mail address and put the link in an e-mail. The e-mail looks real, like it came from the legitimate source and the link looks legitimate also. They are getting pretty savvy and I am sure folling more people than ever.
However according to several posters on Slashdot, that setting isn't saved once you quit and relaunch Firefox.
BINGO!
All the pieces that don't quite work right, of course.
Exactly. Never, ever click on a link in an email directing you to a site where you have an account.
I've accessed the network enableIDN....now how do I edit it...mine is set to "true"
I did miss the part about the Macs. The flaw is apparently in the IDN standard -- comments from Slashdot indicate that MSIE with an IDN plug-in is also subject to the same spoof. It's kind of hard to blame the browser makers for actually following the standard, of course...
So can ActiveX in IE, but lots of people keep saying that IE is bad because of ActiveX.
It just worked for me.
The problem is that phishers are getting much better. I've gotten a couple of Paypal scam emails that looked authentic, and only by viewing the HTML source could I tell what was going on. If somebody clicks on a link and sees "https://www.paypal.com" in the address bar and an SSL indicator, I can't blame them a whole lot for believing it's the real site.
I had no idea everyone expected their browser to also be their nanny.
Gimme a break - if you're not surfing porn sites or engaged in other unsafe Internet behavior, this won't happen to you in any browser.
Double click on it; it will change to false.
right on the heals of their new Microsoft system w/ 20,000 desktops running Windows XP which was a flop...
to top it off, their outlook based email system just got hacked into yesterday
ah, Microsoft. the company that sells you anti-Spyware protection to protect you from malware in software written by ...Microsoft. kinda sounds like the mafia.
1) When has anyone ever said firefox was bulletproof. M$ schills here have such a complex anything that does not worship at the throne of ie is considered 'open source nuts saying their software is indestructible'
2) The best part is Microsoft is partly to blame here, its their API thats busted, this does not work with firefox or mozilla on Linux. I ran the test page there and it did not work.
Even with #2 the best thing for firefox to do would be ship with network.enableIDN set to off by default as most people do not need it.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.