Security consideration: math symbols in an exotic IP address format in a phishing mail

Shawn Steele Shawn.Steele at microsoft.com
Wed May 20 11:27:32 CDT 2020


Anyone validating links as supposed below should make sure that IDN style normalization happens first...

It's kind of a "common" security problem that folks try to check for "security" of data prior to that data undergoing a transformation of some kind, at which point the previous security check may no longer be valid.

Note that "Full width" isn't exactly "confusable" in the way IDN thinks of it, since they're mapped directly to their corresponding character.  Normally "confusable" is used to refer to characters that may appear similar yet end up resolving to something different.

-Shawn

-----Original Message-----
From: Unicode <unicode-bounces at unicode.org> On Behalf Of Richard Wordingham via Unicode
Sent: Wednesday, May 20, 2020 1:03 AM
To: unicode at unicode.org
Subject: Re: Security consideration: math symbols in an exotic IP address format in a phishing mail

On Mon, 18 May 2020 22:04:14 +0800
Phake Nick via Unicode <unicode at unicode.org> wrote:

> Somewhat relevant, I have previously observed that, if you 
> type/produce a link of http://www.abc.def/ghi?jk=lm , and then replace 
> symbol characters in the link with some other confusable symbols, like 
> full width punctuation and such, that link will still take you to the 
> intended address. Different browsers accept different characters. 
> Sometimes when such a link format is being posted onto internet 
> communities that restrict link sharing, such alternative unicode 
> characters formed links can bypass link restrictions in those 
> communities and potentially take unsuspecting netizens to harmful 
> websites. I don't understand why browsers would normalize links being 
> clicked/typed in such way which would expose users to such risk.

Possible because it hasn't occurred to them to ban users of CJK scripts?  Seriously, forcing users to explicitly type narrow punctuation may be one hurdle too far for usability by some.  Not all user input of URLs is mere copy and paste.  Sometimes one has to manually convert '%2F' to '/'.

Calling these characters confusables misses the point that they are variants of ASCII characters.

Richard.




More information about the Unicode mailing list