Flickr Badge

Sunday, April 10, 2005

Phishing fun with Unicode

Remember the phishing attack I had posted about before ? IE was immune to the attack because they hadn't implemented the unicode support for domain names. Well, Ned Batchelder posts about this amazing new Unicode phishing attack, which works on IE, but not on Firefox, the reason being Firefox's incomplete support for bidirectional text rendering.

Here is the link: Phishing fun with Unicode

Basically what the attack does is to get past spam filters by writing certain sequences of text in left to right rendering mode and certain sequences in right to left rendering mode. Since IE has good support for bidirectional text rendering, the text is properly rendered, and it fools spam filters that do not understand unicode. Very clever.

A similar attack which would work on both IE and Firefox can probably be achieved (I've not tested this) by inserting zero-width spaces (U+200B) in between letters of a word. Filters that do byte by byte string compares would not match, but because this character is not rendered, it would look like a normal word to the end user.