Site spoofing vulnerability in non-IE browsers

Eric Johanson (with others) has demonstrated a spoofing vulnerability in browsers other than Internet Explorer. IE can however, be vulnerable, depending on what plugins you have installed.

The exploit is possible because of the way browsers such as Mozilla, Firefox, Opera and others handle International Domain Name support. IDNs have been forwarded by such advocates as Verisign.

You can see just what I'm talking about by looking at the proof of concept site here

Proof of concept

It will take you to a simple site with links to PayPal... Or rather links to a site that masquerades as PayPal if you look at the address bar. The site itself is obviously not PayPal but you can see how easy it would be to make it look as if it were by adding the appropriate graphics.

I tried it in Firefox and it worked just as described. Using IE I clicked the links on the PoC site and received a “page cannot be displayed” error.

To disable support for IDNs which make this spoofing possible you can do the following (in Firefox or Mozilla).

In the address bar enter about:config to get the configuration options page. You want to look for the value network.enableIDN which you can double-click to disable. Now if you return to the proof of concept site and click the PayPal link you'll receive an error stating that the site couldn't be found.

To see Eric Johanson's description of the issue you can click here.