Homograph attack on Facebook Messenger and WhatsApp
Hello,
Its me, Ajay Gautam, Security Researcher at Nassec . During my weekend I have been looking at security issues on Facebook, but nothing cool was discovered by me. One day I have been chatting with my colleagues using Facebook messenger, we were sharing our achievements and job status. During that moment, my colleague asked me that he was interested in the company where I am working. Then, I sent him my company's official site but slightly in a different way for fun, and I clicked the link myself too to review my company website but I was surprised that, it redirected to a homograph link rather than my company sites.
SO, What is the homograph attack?
According to Wikipedia “The internationalized domain name (IDN) homograph attack is a way a malicious party may deceive computer users about what remote system they are communicating with, by exploiting the fact that many different characters look alike (i.e., they are homographs, hence the term for the attack, although technically homoglyph is the more accurate term for different characters that look alike). For example, a regular user of example.com may be lured to click a link where the Latin character “a” is replaced with the Cyrillic character “а”.”
How I was able to reproduce the homograph attack on Facebook?
When I send a link like this ‘ 😃facebook.com’ in messenger or WhatsApp then when a user opens the site by clicking 😃facebook.com then it did not redirect to facebook.com but was redirected to a homograph site like http://xn--facebook-ti75g.com/.
What is the impact of this bug ?
Let's suppose I buy a domain with http://xn--facebook-ti75g.com/ this name when a user sends a message like ‘😃facebook.com’ with emoji attached, then while the user clicks his own sent link, he can be a victim of the homograph attack. In this scenario attacker doesn’t need to send any link to the victim, meanwhile, the user of Facebook as we called here victim can be a victim by himself as well as an attacker could target to a particular person by sending such links.
I reported this issue to Facebook but this the reply from FB security team
Hi Ajay,
We are aware of homograph URLs and the potential risks they pose. We have automated systems in place to detect and prevent abusive/malicious domains/URLs. What you’re describing is a social engineering attack against people, which is not in scope for our program.
Thanks,
Video POC showing the attack :
DISCLAIMER: This post is for education purpose only. I hereby declare that, if any person, organization or any other personnel who willing to do or does malicious activities using this report, i will not be responsible for any activities. Thank you for reading my post and supporting me.
This story is published in Noteworthy, where 10,000+ readers come every day to learn about the people & ideas shaping the products we love.
Follow our publication to see more product & design stories featured by the Journal team.
