Spoof All Domains Containing 'd' in Apple Products [CVE-2018-4277]

During this time I have been researching security issues on the browser front end, and I have found dozens of vulnerabilities in browsers such as Chrome, Safari, and Firefox. Unicode visual security and IDN homograph attack have also been the subject of my research.

Evil U+A771

In my research, I found Latin small letter dum (U+A771) glyph is very similar to Latin small letter D (U+0064) in Apple products. From the glyph standard of Unicode (U+A771), we can see that there should be a small apostrophe after d, but this is completely ignored in Apple products.

Register icloud.com

Next, I want to register a real domain name, so that the IDN Spoof can run normally. As everyone knows that in Verisign’s IDN registration rules, mixed Unicode scripts are not allowed to register. If IDN contains two or more Unicode script code, it will refuse to register. Fortunately (U+A771) also belongs to Latin, should be consistent with the domain name registrar rule. So, everything is ok, I successfully registered the domain name.

Next I registered a SSL certificate to make this IDN Spoof look more real and perfect. The effect is as follows: Chrome / Firefox / Edge browser uses punycode to display this domain name, but Safari does not.

Spoof 1/4 of Top 10K domains

At this point, we have determined that the whole deception process is completely feasible, so an attacker can spoof all domain names containing ‘d’ character. In the Google Top 10K domain name, about 25% of the website domain names have ‘d’ character that can be spoofed.

• linkedin.com
• baidu.com
• jd.com
• adobe.com
• wordpress.com
• dropbox.com
• godaddy.com
• reddit.com
• …………