Open eraymitrani opened 6 years ago
leafo
commented
6 years ago Any use provided link is vulnerable to this, since the user can link to whatever they want. The profile link is no special case. I'm not sure if it's the websites responsibility to block these things. Can you show me examples of how any other sites have mitigated this?
eraymitrani
commented
6 years ago For example if you try it in Facebook chat or linkedIn it shows the punycode version of the link. I've seen another approach where Rockstar forums just look for special characters in the link and don't let you post them on your profile claiming "unsafe link" So you can force all links to appear as their punycode version or just filter characters that shouldn't be in URLs.
Check out here: https://www.charset.org/punycode?encoded=http://xn--eby-7cd.com/&decode=Punycode+to+normal+text
polm
commented
6 years ago I'd like to put in a vote for not just showing the punycode.
I've discussed sites with internationalized URLs in Slack before, which converts all urls to punycode. Sometimes I'll mention 価格.com, and a sentence like "what about 価格.com" turns into "what about xn--1sqt31d.com" and nobody has any idea what I'm talking about.
One approach you could take to avoiding homograph attacks that avoids this problem is looking for mixed scripts, for example the use of Cyrillic and Latin text together, which is basically not used in legitimate URLs as far as I know. You could then flag those URLs.
If a users edits their profile and sets their webpage to something like "http://googlе.com" it will redirect to http://xn--googl-3we.com which can be used for phishing or getting free ad revenue.