SoylentNews is people
SoylentNews
Arthur T Knackerbracket has found the following story:
Chrome, Firefox and other web browsers are plagued by vulnerabilities that can be exploited to spoof their address bar. Some of the affected vendors are still working on addressing the issues.
Pakistan-based researcher Rafay Baloch discovered that the address bar in Google Chrome, also known as the omnibox, can be tricked into flipping URLs.
The problem, which affects Chrome for Android, is related to how Arabic and Hebrew text is written from right to left (RTL). If an attacker's URL starts with an IP address and it contains an Arabic character, the URL's host and path are reversed.
For example, the URL 127.0.0.1/ا/http://example.com becomes http://example.com/ا/127.0.0.1 as it contains the "ا" character, the Arabic letter alef, which causes the URL to be rendered RTL. The method works with other Arabic characters as well, as long as they are the rightmost "strong" character – the numbers and the dots in the IP address are considered "weak" characters.
"The IP address part can be easily hided specially on mobile browsers by selecting a long URL (google.com/fakepath/fakepath/fakepath/... /127.0.0.1) in order to make the attack look more realistic," Baloch explained in a blog post. "In order to make the attack more realistic unicode version of padlock can be used in order to demonstrate the presence of SSL."
(Score: 5, Insightful) by Subsentient on Friday August 19 2016, @11:53AM
Rarely do vulnerabilities spook me, but it makes me worry when someone can fake the URL in the address bar. And Let's Encrypt, god bless them, might be what scammers would want to pair with this vulnerability to make a very convincing decoy.
"It is no measure of health to be well adjusted to a profoundly sick society." -Jiddu Krishnamurti
(Score: -1, Troll) by Ethanol-fueled on Friday August 19 2016, @01:26PM
If you speak any language which would subject you to this exploit, then you deserve to be exploited.
(Score: 1, Touché) by Anonymous Coward on Friday August 19 2016, @01:52PM
I'll take the bait.
This exploit also affects people who can't read Arabic or Hebrew, or any other RTL languages, if there are any. I should correct your phrase to read anyone with your level of ignorance deserves to be exploited.
On-topic - I do also wonder if using the RTL Unicode markers and other similar rendering controls in a URL can cause a similar effect, or if those have already been taken account of. Quite an interesting exploit, it reminds me of earlier Unicode attacks using identical-looking glyphs in the higher ranges of Unicode which look like traditional ascii characters, to make you think you're visiting one site but you're actually on a completely different domain.
(Score: 4, Insightful) by RamiK on Friday August 19 2016, @02:12PM
I'm with Ethel on this. If you* parse anything other then ASCII in url addresses, you deserve to be exploited.
Unicode in the URL addresses is asinine. 256chars should be enough for everybody.
And yeah. I know that not what he meant. I choose to read between the profanities :D
*a browser
compiling...
(Score: 0) by Anonymous Coward on Friday August 19 2016, @05:19PM
I'm sure you parse *every* URL which is inserted into your address bar. And I'm sure you'd never be fooled with a tiny font which could look like a Latin character. Fuckin douche rag.
(Score: 0) by Anonymous Coward on Friday August 19 2016, @08:40PM
I'm sure you parse *every* URL which is inserted into your address bar. And I'm sure you'd never be fooled with a tiny font which could look like a Latin character. Fuckin douche rag.
Whoosh... It was a criticism against unicode URLs and the browsers that implement this "standard".
I'm with Ethel on this. If you* parse anything other then ASCII in url addresses, you deserve to be exploited.
.
.
.
*a browser
parse:
I'm with Ethel on this. If [a browser] parse[s] anything other then ASCII in url addresses, [the browser] deserve[s] to be exploited.
(Score: 3, Informative) by ledow on Friday August 19 2016, @02:33PM
Please take your racism - "joking" or not - elsewhere.
(Score: 2) by http on Friday August 19 2016, @09:51PM
Racists jokes are never a joke. They are intended to present racism as normal to other racists, and the phrase "just joking" is a deception. To other racists, it's condonement, and needs no "apology".
I browse at -1 when I have mod points. It's unsettling.
(Score: -1, Flamebait) by Anonymous Coward on Saturday August 20 2016, @12:07AM
Nigger shave.
(Score: 2, Informative) by anubi on Saturday August 20 2016, @07:08AM
It spooks the hell out of me too! [google.com]
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]