Spoofing Flaw Found in Non IE Browsers

At a convention of hackers on the East Coast over the weekend, a security flaw was reported in non-Microsoft browsers that could allow someone to spoof the Web site of a real company simply by adding code to a link.

The ASCII coding is used by computers to translate a numerical code into an alphabetical letter. In the case of domain names, it is being used for the International Domain Name (IDN) specification in order to allow domains to be typed with country-specific characters such as the Spanish "ñ" or German "ü."

To support non-standard letters, the URL is changed into a special coding that the browser can understand - and that's where the problem occurs. The group that discovered the issue offered one example, shown on its Web site, which spoofs the URL for the PayPal service.

The link is translated into the code, which looks like p& #1072;ypal.com. The coding is the translation of the letter "a," however browsers that translate the code to use the international characters will mistakenly load up the URL: xn--pypal-4ve.com.

With phishing scams on the rise, banks and services such as PayPal have endeavored to protect users by instructing them to make sure the Web addresses they visit are legitimate before inputting sensitive information. But this flaw means Web browsers will appear to load a proper site, while in actuality taking users to a different location.

The group said the problem affects all non-Microsoft browsers, as they support the IDN standard. Internet Explorer does not natively support IDN at the current time unless a plug-in is installed.

Because the flaw lies in the basic implementation of IDN, it's unclear how browser vendors will protect their users. Mozilla developers say they are working on a long-term solution to the issue, and in the meantime will instruct users on disabling IDN support.

Opera on the other hand, says it has correctly implemented the specification and will not be making any changes. Apple and VeriSign, which championed IDN, have not responded to the problem.