This repository has been archived by the owner. It is now read-only.

[hackerone] homepage homograph attack #11001

Closed
diracdeltas opened this Issue Sep 18, 2017 · 2 comments

Comments

@diracdeltas
Copy link
Member

diracdeltas commented Sep 18, 2017

Test plan

#11006 (comment)


from https://hackerone.com/bugs?report_id=268984&subject=brave:

Steps To Reproduce:

In browser add homepage with IDN @ebаy.com/ or just ebаy.com/
now close and open browser again
click the homepage button. you can see it's redirect to http://xn--eby-7cd.com/

expected result: in the 'home button' field in about:preferences, it should show '@xn--eby-7cd.com/' instead of '@ebаy.com/'

video https://www.youtube.com/watch?v=UgN-XJew9Es&feature=youtu.be

@diracdeltas diracdeltas added this to the 0.21.x (Nightly Channel) milestone Sep 18, 2017

@diracdeltas

This comment has been minimized.

Copy link
Member Author

diracdeltas commented Sep 18, 2017

Actually this works even if you don't prefix the URL with '@'. Updating issue accordingly.

@diracdeltas diracdeltas changed the title [hackerone] homepage homograph attack with '@' prefix [hackerone] homepage homograph attack Sep 18, 2017

@diracdeltas diracdeltas modified the milestones: 0.21.x (Nightly Channel), 0.19.x (Beta Channel) Sep 18, 2017

@diracdeltas diracdeltas self-assigned this Sep 18, 2017

diracdeltas added a commit that referenced this issue Sep 19, 2017

fix homepage punycode display bypass
fix #11001

Test Plan:
1. automated tests for homepage should pass
2. try setting your homepage to `ebаy.com/`
3. it should display the punycode

@diracdeltas diracdeltas referenced this issue Sep 19, 2017

Merged

fix homepage punycode display bypass #11006

5 of 8 tasks complete

diracdeltas added a commit that referenced this issue Sep 19, 2017

fix homepage punycode display bypass
fix #11001

Test Plan:
1. automated tests for homepage should pass
2. try setting your homepage to `ebаy.com/`
3. it should display the punycode
@bbondy

This comment has been minimized.

Copy link
Member

bbondy commented Sep 20, 2017

master: f2e438d
0.20.x: 905d6c9
0.19.x: a7060a1

syuan100 added a commit to syuan100/browser-laptop that referenced this issue Nov 9, 2017

fix homepage punycode display bypass
fix brave#11001

Test Plan:
1. automated tests for homepage should pass
2. try setting your homepage to `ebаy.com/`
3. it should display the punycode
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.