Det er ikke underligt, at folk ofte undrer sig over hvilke den mest sikre browser er. Browsere er ofte gearede i forskellige angreb scenarier, og endda en opdateret browser kan blive offer for angribere.
Et af de nylige alvorlige sikkerhedsproblemer, der involverer både Google Chrome og Mozilla Firefox, kan føre til kompromis mellem flere sikkerhedsfunktioner i browsere og spoof URL'er i adresselinjen via et simpelt trick. Opdagelsens forfatter er sikkerhedsforsker Rafay Baloch. Heldigvis, problemerne er allerede løst, men andre leverandører skal stadig arbejde på at rette dem. Desuden, Baloch sagde, at han fik betalt en bugpremie i størrelsen af $5,000 på vegne af Google.
RTL-LTR URL Spoofing-problemet forklaret
Spørgsmålet kommer fra den måde, browsere stiller op på webadresser skrevet med blandet RTL (arabisk) og LTR (romersk) tegn.
Tegn fra sprog er f.eks. Arabisk, Hebraisk vises fra RTL (Højre mod venstre) bestille, på grund af forkert håndtering af flere unicode-tegn såsom U + FE70, U + 0622, U+0623 etc and how they are rendered combined with (first strong character) such as an IP address or alphabet could lead to a spoofed URL.
The researcher noticed that when he placed neutral characters like “/” in the filepath which caused the URL to flip and display from right to left. For the URL to be spoofed, the URL needs to begin with an IP address followed by neutral characters. This is because the omnibox recognizes the IP address as a combination of punctuation and numbers. Because the LTR (Left To Right) direction isn’t applied properly, this leads to the entire URL be rendered from RTL (Højre mod venstre).
The RTL-LTR Spoofing Flaw Easy to Exploit
The worst part is that the spoofing issue is very easy to exploit, especially in phishing attacks. An attacker could take the server’s IP address, add some Arabic characters and affix the domain of a legitimate website. The produced URL can be embedded in spam and can be sent out in emails, SMS and IM messages. Upon clicking, the user will be redirected to a page that displays a credible domain but in fact is on a bad server.
Furthermore the address part can be easily hidden, especially on mobile browsers, by choosing a longer URL to make the attack more realistic, Baloch says.
I Firefox, the same issue has been identified as CVE-2016-5267. Men, the exploit itself is slightly different due to Mozilla’s different codebase.