Written by Shannon Vavra
Verisign has fixed an issue that could have allowed attackers to register bogus domains by using homoglyphs in place of more common characters, due to research from California-based security firm Soluble.
Matt Hamilton, principal security researcher at Soluble, discovered the flaw when he attempted to register an Amazon Web Services S3 bucket with Unicode emoji characters. “It was possible to register Latin homoglyph characters, specifically Unicode Latin IPA Extension homoglyphs,” he wrote in a blog released Wednesday. “I then checked if it was possible to register domains with these homoglyph characters. Ruh-roh, it was.”
Hamilton called out the abuse of the following characters:
For years, domain providers have been aware of homoglyph attacks and have put in place restrictions to prevent their exploitation, such as barring the use of both Latin and Cyrillic characters at once. Verisign, which operates registries for .com and .net TLDs, prevents registering domains with mixed-scripts, but Hamilton found that a blend of Unicode and Latin characters still passed the smell test “as long as the Unicode characters were themselves Latin.”
Over the last three years, 15 of 300 domains Hamilton tested were registered using this homoglyph technique and were issued HTTPS certificates.
“This included prominent financial, internet shopping, technology, and other Fortune 100 sites. There is no legitimate or non-fraudulent justification for this activity,” Hamilton said. “My speculation is that this vulnerability was only used in highly-targeted social engineering campaigns.”
In recent days Verisign developed a fix that prevents the registration of domains containing these homoglyphs by updating its approved character table.
Amazon worked to prevent Unicode in subdomain registration by blocking buckets beginning with “xn--”, which should prevent this kind of script spoofing.
Some of the companies that Hamilton contacted about the possible exploitation were not responsive.
“[W]e view this a very low risk for our users at this time,” DigitalOcean told Hamilton last month, although they confirmed they were going to investigate mitigations.
Google and Wasabi were last in touch with Hamilton in November and December of last year. Hamilton said he continuously updated them on the research while Verisign worked to deploy mitigations before disclosure.
“This particular case was by-and-large a disappointment due to the unresponsiveness of vendors,” Hamilton said. “Kudos to Amazon and Verisign who, in my view, were the only vendors to take this issue seriously and alter their policies in a timely manner to address this vulnerability.”
DigitalOcean, Google, and Wasabi did not immediately return request for comment.