The spoof exploits flaws in how the browsers interpret Unicode, a broad character set used in IDN that allows URLs to include non-English characters. Unicode can be used to craft "homographic" attacks, in which two different combinations of characters in an HTML link can display the same URL in the browser, but send users to different sites. URL spoofing exploits are useful to Internet phishing scams, making it easier to trick victims into sharing sensitive information with bogus web sites constructed by fraudsters.
The spoofing flaw was demonstrated by the Shmoo Group, which used a Unicode link to display www.paypal.com in the address bar of affected browsers, but send users to www.xn--pypal-4ve.com - which then displays "www.paypal.com" in its address bar. A similar spoof works on SSL-enabled URLs (https) commonly used on banking and e-commerce sites.
The attack can be disabled in Firefox and Mozilla by setting 'network.enableIDN' to false in the browser's configuration (enter about:config in the address bar to access the configuration functions). The Mozilla development team today made this the default setting. Users who want IDN support will be able to turn it on, but will be warned about the risks involved.
"This is obviously an unsatisfactory solution in the long term and it is hoped that a better fix can be developed in time for Firefox 1.1," the Mozilla Foundation said in its advisory. "For now, the Mozilla Foundation (and other browser vendors such as Opera Software) maintain that the problem is mostly the fault of domain name registries and registrars that let people register homographic variants of existing domain names."
The Mozilla team said that domain registrars are ignoring ICANN guidelines on IDN, and have developed a list of problematic Unicode characters that could be banned in domain names to limit homographic attacks.