Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


Skip to content
  • Categories
  • Recent
  • Tags
  • Popular
  • Bookmarks
  • Search
Skins
  • Light
  • Cerulean
  • Cosmo
  • Flatly
  • Journal
  • Litera
  • Lumen
  • Lux
  • Materia
  • Minty
  • Morph
  • Pulse
  • Sandstone
  • Simplex
  • Sketchy
  • Spacelab
  • United
  • Yeti
  • Zephyr
  • Dark
  • Cyborg
  • Darkly
  • Quartz
  • Slate
  • Solar
  • Superhero
  • Vapor
  • Default (No Skin)
  • No Skin
Collapse
Brand Logo

Cloudron Forum
Apps | Demo | Docs | Install
  1. Cloudron Forum
  2. Off-topic
  3. Firefox: IDN Punycode Exploitation - here's how to fix it

Firefox: IDN Punycode Exploitation - here's how to fix it

Scheduled Pinned Locked Moved Off-topic
2 Posts 2 Posters 475 Views
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • humptydumptyH Offline
    humptydumptyH Offline
    humptydumpty
    wrote on last edited by
    #1

    https://arstechnica.com/gadgets/2021/07/with-help-from-google-impersonated-brave-com-website-pushes-malware/

    TL;DR - Brave.com got spoofed and pushed malware through downloads using IDN Punycode exploitation.

    Here is a demonstration (safe to click): https://www.аррӏе.com/

    This issue affects Firefox only as it remains the only browser without a fix (by default).

    Here's how to fix it:

    In the Firefox address bar, type:

    about:config

    Find the following and toggle it to "TRUE"

    network.IDN_show_punycode

    You're done! You should be able to see the raw url now instead of the masked one in the address bar and also in the bottom left of the browser page while hovering on it.

    Sources:

    https://www.tenforums.com/tutorials/104760-enable-disable-idn-punycode-firefox-address-bar-windows.html

    https://www.xudongz.com/blog/2017/idn-phishing/

    @marcusquinn I think it was you who recommended Vivaldi on here so I had it replace Chrome for anything Google related. The cool thing is that the punycode site doesn't even load in Vivaldi! Thanks for the recommendation!

    marcusquinnM 1 Reply Last reply
    5
    • marcusquinnM Offline
      marcusquinnM Offline
      marcusquinn
      replied to humptydumpty on last edited by
      #2

      @humptydumpty Good stuff, yeah Vivaldi remains my Chromium of choice 👍

      Web Design https://www.evergreen.je
      Development https://brandlight.org
      Life https://marcusquinn.com

      1 Reply Last reply
      0

      • Login
      • Don't have an account? Register
      • Login or register to search.
      • First post
        Last post
      0
      • Categories
      • Recent
      • Tags
      • Popular
      • Bookmarks
      • Search