Not Applicable: Homograph Attack via Whatsapp Status

3 years ago 180
BOOK THIS SPACE FOR AD
ARTICLE AD

Divyanshu Shukla

The IDN (Internationalized Domain Name): https://fаcebook.com/is a homograph for the Latin https://xn--fcebook-2fg.com/.
While putting a status on WhatsApp when putting URL it displays https://fаcebook.com/which is a Punycode domain, not the actual facebook domain.
On clicking the status any trusted user might think that he/she is redirected to https://fаcebook.com/ but actually, it is redirecting to a homograph URL https://xn--fcebook-2fg.com/
It would be safer to show homograph URL https://xn--fcebook-2fg.com/ instead of https://fаcebook.com/ (Unicode URL).
So if we use burp collaborator, we can see the DNS and HTTP query from my ISPs IP Address and google’s DNS. That means the domain was resolved locally. So If the domain is resolved attacker can make sure that people are well trying to put status and it can help in creating more sophisticated phishing attacks.

Burp Collaborator url in status

Query in Burp Collaborator for whatsapp status

Impact:

This attack is against the privacy of user since once can craft a Punycode URL and put it in the status and send to the list of specific users. This user might click the link considering it as genuine fаcebook and is redirected to homograph URL which confirms that the user with a specific behaviour is using fаcebook more often.

For example,
In some case of a waterhole, phishing attacker can put the status of multiple links of the different commonly visited website.
Then out of multiple websites, user/group might visit a specific website.
Even in one of these IDN links if the user enters credentials due to carelessness it may make the attack successful.

Other scenarios consist if the browser fails to parse the URL due to url spoofing or take time to load the punycode url then the user may enter credentials to the domain.

Let’s put https://www.аррӏе.com/ in status of whatsapp (which is POC from Xudong Zheng). Now when we open this domain on firefox, it shows it as a apple.com instead on punycode, this issue is already on bugzilla since 15 years.
If a trusted user puts this type of domain and contacts are trying to open suc malicious domain, it is possible that someone may end up downloading malicious file.

Whatsapp status showing fake apple.com

Browser like firefox still shows domains without converting them to there punycode IDNs.(Link: Bugzilla).

Firefox showing homograph url. #Bug 279099

Expected behaviour:

The page should show the homograph URL like facebook profile status.

Solution:

It involves displaying punycode in place of the actual UTF-8 text. Punycode is an ASCII representation of a Unicode domain name, originally implemented as the domain name service infrastructure did not support Unicode (Costello 2003). The Punycode alternative is commonly displayed in both the address bar and the status bar on hover for a particular link.
IDNA issues can be handled on the client side, without requiring any domain name server (DNS) changes.

Facebook has already implemented this for status on profile. It shows the punycode version of the IDN URL in status.

Facebook status for punycode url

Reference:

https://www.xudongz.com/blog/2017/idn-phishing/
https://bugzilla.mozilla.org/show_bug.cgi?id=279099
https://www.charset.org/punycode?encoded=http%3A%2F%2Fxn--eby-7cd.com%2F&decode=Punycode+to+normal+text
https://en.wikipedia.org/wiki/Internationalized_domain_name
https://bugzilla.mozilla.org/show_bug.cgi?id=1332714
https://www.wordfence.com/blog/2017/04/chrome-firefox-unicode-phishing
Note: http://ro.ecu.edu.au/cgi/viewcontent.cgi?article=1174&context=ecuworks2012

Timeline:

Bug reported on May 25
Not Applicable on 19 June (As it is out of scope for social engineering attacks).
Disclosure accepted 22 June.

Note:
I have posted this report even if this bug is Not Applicable because there is a chance that this type of attack might be used in phishing via whatsapp status.
I would like to request researchers, if anyone is interested in taking this further and escalate this to show the real impact or any further feedback or comment regarding these type of attacks.
I am still figuring out the impact of such attacks in the wild. Security analyst in SOC are very welll aware of such kinds of attacks happening in companies.

Thanks & Regards,
Divyanshu Shukla
@justm0rph3u5

Read Entire Article