Blitz Web Solutions
Old No: 43, New No: 105 A
Patel Lane
Perambur
Chennai - 600 011
INDIA
Tel/Fax: +91-44-42645047

Customer Service:
Feedback
Type: 
Name:
Email: 
Type Your Message Here
   
      Home >> Articles >> HOMOGRAPH ATTACKS

HOMOGRAPH ATTACKS - Posted On 13th Mar 2005



A story about how implementation of standards across browsers turned into a tragedy

A Hacking idea that was lingering for past couple of years (from 2002) is now implemented practically. This attack poses a security threat to major corporations around the world. A True fact is none of these corporations can take any possible action against this.

All the URL’s are vulnerable in this serious threat and these URL’s can be hacked by using any of the following browsers.
1. Most mozilla-based browsers (Firefox 1.0, Camino .8.5, Mozilla 1.6, etc)
2. Safari 1.2.5
3. Opera 7.54
4. Omniweb 5

Internet Explorer is free from this vulnerability Interesting Huh!


Try these links in any of the listed browsers above

Original URL
Click here to enter paypal
Click here to enter paypal via ssl

Spoofed URL (Try using non-IE Browsers)
Click here to enter paypal
Click here to enter paypal via ssl


So What has happened ?
1. Simply, all the browsers implemented a standard called IDN(Internationalized Domain Names), which was pushed by Verisign.
Verisign-IDN Details

2. A Spoof URL was registered for Paypal.com replacing "a" with "?" i.e. #1072(430) a Unicode character in Cyrillic subset, which is legal as per IDN.
This reads "PayPal" to normal users, where as it is "p?ypal"

So What can happen
Simply, anybody can create a spoof site to your Bank's login page(Bank of America,HDFC Bank,ICICI Bank), log the credential details and later pass to the original site, now the hacker would have a database of logins and passwords for the bank accounts…

Isn’t it devasting ?! This Trick was actually demonstrated at the end of shmoocon 2005 Hacker’s conference by EricJ

Read more on how an implementation of standards turned into a tragedy at
http://www.cs.technion.ac.il/~gabr/papers/homograph_full.pdf

http://www.shmoo.com/idn/homograph.txt

and the real demonstration at http://www.shmoo.com/idn/

How to Avoid this
Except Firefox, no other browser has a way to block this.
If you are a firefox user, type "about:config" at address bar, search for "idn" and set the property to false. You are now safe.

Other Browser users are doomed.

Fine… but how did IE escaped this attack?! Answer is simple, IE is a bit old on some standards and remember we don’t have any recent updates for IE. Which means IDN standard is not implemented in IE.

Update: Paul Hoffman, co-author of IDN standard, has a post where he proposes a list of effective set of solutions for IDN Spoofing: http://lookit.proper.com/archives/000302.html#000302
Copyright © 2006 Blitz Web Solutions | Privacy Policy | Terms Of Use