Security consideration: math symbols in an exotic IP address format in a phishing mail

[Martin J. Dürst]

Hello Marius, others,

On 17/05/2020 08:43, Marius Spix via Unicode wrote:
> Today I received an interesting phishing mail which had an URL
> containing mathematical bold numbers. Interestingly the address
> 𝟎𝟓𝟔𝟕𝟏𝟑𝟔𝟎𝟑𝟎𝟐 was interpreted as an octal number 05671360302, which is
> another spelling for 46.229.224.194. This worked for both Firefox and
> Chrome. I don’t know why such an address is accepted in the authority
> part of a HTTPS URI of current browsers. Section 7.4 in RFC 3986 states
> that additional IP address formats can become a security concern, but
> it also says that literals should be converted to numeric form.

I'm somehow wondering what the *Unicode* phishing story is here. The 
user saw 𝟎𝟓𝟔𝟕𝟏𝟑𝟔𝟎𝟑𝟎𝟐, which was interpreted as 05671360302, 
which shouldn't be too surprising unless somebody is familiar with 
mathematical bold numbers.

The average user wouldn't know what 05671360302 is (unless it's e.g. a 
familiar telephone number). That should lead the user to reject this 
URL, and the phishing to fail. A similar should might be expected for 
46.229.224.194. Of course, the URL could be designed so as to make these 
numbers appear natural. And the user may click anyway.

There's an Unicode issue if we assume that a) phishing checkers check 
for cases such as 05671360302, or b) browsers,... don't resolve 
05671360302 if it's in ASCII, but 𝟎𝟓𝟔𝟕𝟏𝟑𝟔𝟎𝟑𝟎𝟐 gets through. 
Otherwise, there may be a security issue, but it's not an Unicode one.


> I wonder if this case should be added to UTR #36.

Security considerations are always additive, so I'd guess yes.

Regards,   Martin.

> Regards
> 
> Marius
>