Insufficient validation of untrusted input in Omnibox

Aleph Research Advisory

Identifier

Severity

Moderate

Product

Chromium

Vulnerable Version

Chromium: Before 80.0.3987

Mitigation

Chromium 80.0.3987

Technical Details

Click here to see it better.

The above shows numerous domains which could have been used for phishing attacks but were not displayed in Punycode form in Chrome’s Omnibox.

Timeline

04-Feb-20
: Public disclosure.
04-Feb-20
: CVE-2020-6401 assigned.
24-Oct-19
: Reported (Chromium Team).
04-Feb-19
: Patch available.

Posts

Revised Homograph Attacks - Part 2
By Tzachy Horesh,
23-Jul 2020

Credit

Tzachy Horesh (@tzachyh) of Aleph Research, HCL Technologies

External References

Chrome - Security Advisory ID 1017707 - txt