IDN Security Hole

An interesting observation regarding yesterday’s security bug. I did this using 1.0+.

Here’s what it looks like when the exploit is presented:
Exploit: example

Now look at the title bar when you “view source”:
Exploit: view Source

Is this a temporary way to validate the authenticity of the website?
I have no clue. I’m just reporting my observations.

3 thoughts on “IDN Security Hole

  1. OT: What’s this “bug document” icon on your toolbar, between home button and location bar?

  2. Following JavaScript Bookmarklet can be used to detect IDN Spoofing.

    javascript:alert(%22The real URL is: %22 + location.protocol + %22//%22 + location.hostname + %22/%22 + %22\nThe address URL is: %22 + location.href + %22\n%22 + %22If the server names do not match, this may be a spoof.%22);

    It works well for our beloved Safari.

Leave a Reply

Your email address will not be published. Required fields are marked *