Take a look at http://www.shmoo.com/idn/
The link is “http://www.pаypal.com/”, which the browsers punycode handlers render as www.xn--pypal-4ve.com.
This security flaw could be quite major, as any letter can be replaced by its look-alike from an international character script. For full details, take a look at this file.
Vulnerable browsers include (but are not limited to):
Most Mozilla-based browsers (Firefox 1.0, Camino .8.5, Mozilla 1.6, etc)
Safari 1.2.5
Opera 7.54
Omniweb 5
While those are mainly Mac browsers (OmniWeb and Safari), all users of anything that isn’t IE should be wary, at least until a patch is released which fixes this issue.
Update: (Franki) There is a temp fix for Firefox already out, I’ve tried it and it works. Here are the steps:
1. Go to your Firefox address bar and enter: about:config and press enter, this will bring up Firefox’s internal configuration page.
2 Scroll down to the line beginning: network.enableIDN or in the alternative enter that phrase (you can cut and paste it) into the filter text box and click “show all”.
3 Double-click the network.enableIDN label, and Firefox will change the default value of ‘true’ to ‘false’, close that window and you’re done.
There will no doubt be a software fix on the way soon, so you should run Firefox update regularly. (Go to “tools”->”options” -> “advanced” and scroll down till you see the section called “Software Update” and click “Check now” and Firefox will do the rest.
It should be noted that the reason that IE is not vulnerable, is because they never supported international domains in the first place. There is a plug in to enable that functionality in IE, and if you have the plug-in installed, then your copy of Internet Explorer is just as vulnerable.
Read more on this issue here.
