Verisign, Amazon patch zero-day vulnerability that utilized homoglyph characters
Verisign has fixed an issue that could have allowed attackers to register bogus domains by using homoglyphs in place of more common characters, due to research from California-based security firm Soluble.
Matt Hamilton, principal security researcher at Soluble, discovered the flaw when he attempted to register an Amazon Web Services S3 bucket with Unicode emoji characters. “It was possible to register Latin homoglyph characters, specifically Unicode Latin IPA Extension homoglyphs,” he wrote in a blog released Wednesday. “I then checked if it was possible to register domains with these homoglyph characters. Ruh-roh, it was.”
Hamilton called out the abuse of the following characters:
- The “ɡ” (Voiced Velar Stop)
- The “ɑ” (Latin Alpha)
- The “ɩ” (Latin Iota)
For years, domain providers have been aware of homoglyph attacks and have put in place restrictions to prevent their exploitation, such as barring the use of both Latin and Cyrillic characters at once. Verisign, which operates registries for .com and .net TLDs, prevents registering domains with mixed-scripts, but Hamilton found that a blend of Unicode and Latin characters still passed the smell test “as long as the Unicode characters were themselves Latin.”
Over the last three years, 15 of 300 domains Hamilton tested were registered using this homoglyph technique and were issued HTTPS certificates.
“This included prominent financial, internet shopping, technology, and other Fortune 100 sites. There is no legitimate or non-fraudulent justification for this activity,” Hamilton said. “My speculation is that this vulnerability was only used in highly-targeted social engineering campaigns.”
In recent days Verisign developed a fix that prevents the registration of domains containing these homoglyphs by updating its approved character table.
Amazon worked to prevent Unicode in subdomain registration by blocking buckets beginning with “xn--”, which should prevent this kind of script spoofing.
Some of the companies that Hamilton contacted about the possible exploitation were not responsive.
“[W]e view this a very low risk for our users at this time,” DigitalOcean told Hamilton last month, although they confirmed they were going to investigate mitigations.
The Director of Product Security at DigitalOcean, Mike McBryde, told CyberScoop in a statement he thinks the responsibility for dealing with this flaw lies with browsers or DNS providers.
“DigitalOcean takes all security vulnerabilities seriously and has investigated ways to mitigate the specific risk of homoglyph collision attacks,” McBryde said. “We believe the best remediation against such attacks is on the browser and/or DNS provider level, and most major browsers already have some type of policy in place. We will continue to monitor the situation and work with our users as appropriate.”
Google and Wasabi were last in touch with Hamilton in November and December of last year. Hamilton said he continuously updated them on the research while Verisign worked to deploy mitigations before disclosure.
Wasabi issued a statement in March noting “part of the protection against this type attack comes from web browsers that can defend against the problem,” adding that “domain registrars are working to do their part by preventing the registration of problematic domain names.”
“This particular case was by-and-large a disappointment due to the unresponsiveness of vendors,” Hamilton said. “Kudos to Amazon and Verisign who, in my view, were the only vendors to take this issue seriously and alter their policies in a timely manner to address this vulnerability.”
Google did not immediately return request for comment.
