Security consideration: math symbols in an exotic IP address format in a phishing mail

[Phake Nick]

Somewhat relevant, I have previously observed that, if you type/produce a
link of http://www.abc.def/ghi?jk=lm , and then replace symbol characters
in the link with some other confusable symbols, like full width punctuation
and such, that link will still take you to the intended address. Different
browsers accept different characters. Sometimes when such a link format is
being posted onto internet communities that restrict link sharing, such
alternative unicode characters formed links can bypass link restrictions in
those communities and potentially take unsuspecting netizens to harmful
websites.
I don't understand why browsers would normalize links being clicked/typed
in such way which would expose users to such risk.

在 2020年5月17日週日 13:56，Marius Spix via Unicode <unicode at unicode.org> 寫道：

> Today I received an interesting phishing mail which had an URL
> containing mathematical bold numbers. Interestingly the address
> 𝟎𝟓𝟔𝟕𝟏𝟑𝟔𝟎𝟑𝟎𝟐 was interpreted as an octal number 05671360302,
> which is
> another spelling for 46.229.224.194. This worked for both Firefox and
> Chrome. I don’t know why such an address is accepted in the authority
> part of a HTTPS URI of current browsers. Section 7.4 in RFC 3986 states
> that additional IP address formats can become a security concern, but
> it also says that literals should be converted to numeric form.
>
> I wonder if this case should be added to UTR #36.
>
> Regards
>
> Marius
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://corp.unicode.org/mailman/private/unicode/attachments/20200518/0d87d887/attachment.htm>