Monday, February 07, 2005
HOMOGRAPH ATTACKS
A story about how implementation of standards across browsers turned into a tragedy
A Hacking idea that was lingering for past couple of years (from 2002) is now implemented practically. This attack poses a security threat to major corporations around the world. A True fact is none of these corporations can take any possible action against this.
All the URL’s are vulnerable in this serious threat and these URL’s can be hacked by using any of the following browsers.
1. Most mozilla-based browsers (Firefox 1.0, Camino .8.5, Mozilla 1.6, etc)
2. Safari 1.2.5
3. Opera 7.54
4. Omniweb 5
Internet Explorer is free from this vulnerability :-) Interesting Huh!
Try these links in any of the listed browsers above
Original URL
Click here to enter paypal
Click here to enter paypal via ssl
Spoofed URL (Try using non-IE Browsers)
Click here to enter paypal
Click here to enter paypal via ssl
So What has happened ?
1. Simply, all the browsers implemented a standard called IDN(Internationalized Domain Names), which was pushed by Verisign.
Verisign-IDN Details
2. A Spoof URL was registered for Paypal.com replacing "a" with "а" i.e. #1072(430) a Unicode character in Cyrillic subset, which is legal as per IDN.
This reads "PayPal" to normal users, where as it is "pаypal"
So What can happen
Simply, anybody can create a spoof site to your Bank's login page(Bank of America,HDFC Bank,ICICI Bank), log the credential details and later pass to the original site, now the hacker would have a database of logins and passwords for the bank accounts…
(Phew!! I remember me and kingsly trying a similar hack using DNS Spoof and HOSTS File Spoof, way back in 1997-98, to grab hotmail passwords :) to win a bet )
Isn’t it devasting ?! This Trick was actually demonstrated at the end of shmoocon 2005 Hacker’s conference by EricJ
Read more on how an implementation of standards turned into a tragedy at
http://www.cs.technion.ac.il/~gabr/papers/homograph_full.pdf
http://www.shmoo.com/idn/homograph.txt
and the real demonstration at http://www.shmoo.com/idn/
How to Avoid this
Except Firefox, no other browser has a way to block this.
If you are a firefox user, type "about:config" at address bar, search for "idn" and set the property to false. You are now safe.
Other Browser users are doomed.
Fine… but how did IE escaped this attack?! Answer is simple, IE is a bit old on some standards and remember we don’t have any recent updates for IE. Which means IDN standard is not implemented in IE.
Update: Paul Hoffman, co-author of IDN standard, has a post where he proposes a list of effective set of solutions for IDN Spoofing: http://lookit.proper.com/archives/000302.html#000302
posted by Logu Krishnan : 4:34 AM
