iTnews
  • Home
  • News
  • Technology
  • Security

Verisign secures .com and .net against new homoglyph hacks

By Juha Saarinen on Mar 4, 2020 12:43PM
Verisign secures .com and .net against new homoglyph hacks

Google and US CERT ignored issue.

Verisign, which operates the .com and .net registries has deployed changes to its rules to prevent registration of bogus, lookalike domain names using Unicode International Phonetic Alphabet Extension characters that appear visually similar to standard letters such as a, g and i, but are treated differently by computer systems.

Security vendor researcher Matt Hamilton successfully registered a bucket with a cloud provider, with a Unicode emoji character in November 2019.

He was curious if it was possible to register Unicode Latin IPA homoglyphs in bucket names and sub-domains, which it was.

"I then checked if it was possible to register domains with these homoglyph characters. Ruh-roh, it was," Hamilton said.

Hamilton then spent approximately US$400 on registering a bundle of 17 .com domains, using International Phonetic Alphabet Extension homoglyphs to demonstrate the vulnerability.

He was able to register domain names that look deceptively similar to well-known internet brands and properties, such as amazon.com, apple.com, gmail.com, netflix,com, theguardian.com and more.

Of the three homoglyphs, the ɡ voiced velar stop is the most convincing character that is nearly indistinguishable from its Latin letter counterpart, Hamilton said.

The Latin Alpha homoglyph is also very convincing, especially when not adjacent to the standard Latin a letter.

Another lookalike character, the Latin Iota, is the least convincing of the three and on some systems and fonts looks similar to a lower-case L and not like the Latin i letter.

The researcher has promised to transfer the homoglyph domain registrations to the owners of the non-homographic equivalents at no cost.

Verisign acknowledged the issue and thanked Hamilton for bringing it to the company's attention.

"While the underlying issue described by Mr Hamilton is well understood by the global Internet community – and is the subject of active policy development by ICANN [the Internet Corporation for Assigned Names and Numbers] – we appreciate him providing additional timely details about how this issue may be exploited," Verisign said.

"Although we understand that ICANN has been on a path to address these issues globally, we have also proactively updated our systems and obtained the necessary approval from ICANN to implement the changes to the .com and .net top-level domains required to prevent the specific types of confusable homograph registrations detailed in Mr. Hamilton’s report," the gTLD operator aded.

Homograph and homoglyph attacks is a known problem, allowing malicious users to for example replace the Latin a character with the Cyrillic a, to create resource locators that look deceptively similar to legitimate ones.

Verisign has been aware of the issue, and implemented anti-homograph measures such as disallowing mixed scripts for domain registrations.

Hamilton discovered that it was possible to bypass Verisign's registration rules if the lookalike Unicode characters were Latin IPA Extension ones.

Apart from Verisign, Amazon Web Services S3 has remediated the vulnerability, by preventing registrations that start with the "xn--" Punycode that is used for Unicode characters.

Hamilton also reported the vulnerability to Google, cloud storage company Wasabi, DigitalOcean and notified them in February that the issue had been reclassified as a zero-day after finding fake HTTPS certificates and an unofficial Javascript library hosted on an unnamed but prominent domain, using homograph lookalike characters.

There was no response from the above infrastructure as a service providers however.

While Google prevents creation of buckets that contain "google" or close misspellings such as "g00gle" in the name, Hamilton said it is possible to register ones that use Unicode Latin IPA Extension homoglyphs.

He also contacted the United States Computer Emergency Response Team (US CERT) about the vulnerability but did not get a response from them.

Hamilton believes the vulnerability has been abused for the past three years, 

"Between 2017 and today, more than a dozen homograph domains have had active HTTPS certificates," Hamilton said.

"This included prominent financial, internet shopping, technology, and other Fortune 100 sites."

"There is no legitimate or non-fraudulent justification for this activity," he added.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:
amazongooglehomoglyphhomographicannmicrosoftsecurityverisign

Partner Content

Why rethinking your CMS is crucial for customer retention
Promoted Content Why rethinking your CMS is crucial for customer retention
Security "mindset shift" needed to protect organisations
Promoted Content Security "mindset shift" needed to protect organisations
The Great Resignation has intensified insider security threats
Promoted Content The Great Resignation has intensified insider security threats
Accenture and Google Cloud team up to create a loveable, Australian-first, renewable energy product
Promoted Content Accenture and Google Cloud team up to create a loveable, Australian-first, renewable energy product

Sponsored Whitepapers

Extracting the value of data using Unified Observability
Extracting the value of data using Unified Observability
Planning before the breach: You can’t protect what you can’t see
Planning before the breach: You can’t protect what you can’t see
Beyond FTP: Securing and Managing File Transfers
Beyond FTP: Securing and Managing File Transfers
NextGen Security Operations: A Roadmap for the Future
NextGen Security Operations: A Roadmap for the Future
Video: Watch Juniper talk about its Aston Martin partnership
Video: Watch Juniper talk about its Aston Martin partnership

Events

  • Micro Focus Information Management & Governance (IM&G) Forum 2022
  • CRN Channel Meets: CyberSecurity Live Event
  • IoT Insights: Secure By Design for manufacturing
  • Cyber Security for Government Summit
  • Forrester Technology & Innovation Asia Pacific 2022
By Juha Saarinen
Mar 4 2020
12:43PM
0 Comments

Related Articles

  • Researchers warn of unfixable DNS denial of service NXNSAttack
  • Poor patching creates easy zero-day vulnerability reuse
  • UK financial regulators to directly oversee cloud services
  • Edtech vendors invaded student privacy: Human Rights Watch
Share on Twitter Share on Facebook Share on LinkedIn Share on Whatsapp Email A Friend

Most Read Articles

Qantas calls time on IBM, Fujitsu in tech modernisation

Qantas calls time on IBM, Fujitsu in tech modernisation
PayTo rollout kicks off

PayTo rollout kicks off
Researchers hacked Oracle servers to demo serious vulnerability

Researchers hacked Oracle servers to demo serious vulnerability
Neobank Volt exits the banking industry

Neobank Volt exits the banking industry

Digital Nation

The security threat of quantum computing
The security threat of quantum computing
COVER STORY: Operationalising net zero through the power of IoT
COVER STORY: Operationalising net zero through the power of IoT
IBM global chief data officer on the rise of the number crunchers
IBM global chief data officer on the rise of the number crunchers
Integrity, ethics and board decisions in the digital age
Integrity, ethics and board decisions in the digital age
Crypto experts optimistic about future of Bitcoin: Block
Crypto experts optimistic about future of Bitcoin: Block
All rights reserved. This material may not be published, broadcast, rewritten or redistributed in any form without prior authorisation.
Your use of this website constitutes acceptance of nextmedia's Privacy Policy and Terms & Conditions.