Read Time:1 Minute, 28 Second
Description
The software displays information or identifiers to a user, but the display mechanism does not make it easy for the user to distinguish between visually similar or identical glyphs (homoglyphs), which may cause the user to misinterpret a glyph and perform an unintended, insecure action.
Modes of Introduction:
– Architecture and Design
Likelihood of Exploit: Medium
Related Weaknesses
CWE-451
Consequences
Integrity, Confidentiality: Other
An attacker may ultimately redirect a user to a malicious website, by deceiving the user into believing the URL they are accessing is a trusted domain. However, the attack can also be used to forge log entries by using homoglyphs in usernames. Homoglyph manipulations are often the first step towards executing advanced attacks such as stealing a user’s credentials, Cross-Site Scripting (XSS), or log forgery. If an attacker redirects a user to a malicious site, the attacker can mimic a trusted domain to steal account credentials and perform actions on behalf of the user, without the user’s knowledge. Similarly, an attacker could create a username for a website that contains homoglyph characters, making it difficult for an admin to review logs and determine which users performed which actions.
Potential Mitigations
Phase: Implementation
Description:
Phase: Implementation
Description:
CVE References
- CVE-2013-7236
- web forum allows impersonation of users with homoglyphs in account names
- CVE-2012-0584
- Improper character restriction in URLs in web browser
- CVE-2009-0652
- Incomplete denylist does not include homoglyphs of “/” and “?” characters in URLs
- CVE-2017-5015
- web browser does not convert hyphens to punycode, allowing IDN spoofing in URLs
- CVE-2005-0233
- homoglyph spoofing using punycode in URLs and certificates
- CVE-2005-0234
- homoglyph spoofing using punycode in URLs and certificates
- CVE-2005-0235
- homoglyph spoofing using punycode in URLs and certificates
