Spoof All Domains Containing ‘d’ in Apple Products [CVE-2018-4277]

During this time I have been researching security issues on the browser front end, and I have found dozens of vulnerabilities in browsers such as Chrome, Safari, and Firefox. Unicode visual security and IDN homograph attack have also been the subject of my research.

Evil U+A771

In my research, I found Latin small letter dum (U+A771) glyph is very similar to Latin small letter D (U+0064) in Apple products. From the glyph standard of Unicode (U+A771), we can see that there should be a small apostrophe after d, but this is completely ignored in Apple products.

Register icloud.com

Next, I want to register a real domain name, so that the IDN Spoof can run normally. As everyone knows that in Verisign’s IDN registration rules, mixed Unicode scripts are not allowed to register. If IDN contains two or more Unicode script code, it will refuse to register. Fortunately (U+A771) also belongs to Latin, should be consistent with the domain name registrar rule. So, everything is ok, I successfully registered the domain name.

Next I registered a SSL certificate to make this IDN Spoof look more real and perfect. The effect is as follows: Chrome / Firefox / Edge browser uses punycode to display this domain name, but Safari does not.

Spoof 1/4 of Top 10K domains

At this point, we have determined that the whole deception process is completely feasible, so an attacker can spoof all domain names containing ‘d’ character. In the Google Top 10K domain name, about 25% of the website domain names have ‘d’ character that can be spoofed.

• linkedin.com
• baidu.com
• jd.com
• adobe.com
• wordpress.com
• dropbox.com
• godaddy.com
• reddit.com
• …………

Video demo

Apple patch

Affected products

Apple watchOS before 4.3.2 https://support.apple.com/zh-cn/HT208935
Apple iOS before 11.4.1 https://support.apple.com/zh-cn/HT208938
Apple tvOS before 11.4.1 https://support.apple.com/zh-cn/HT208936
Apple macOS High Sierra before 10.13.5 https://support.apple.com/zh-cn/HT208937

Disclosure Timeline

2018.4.2 Provide vulnerability detail to Apple via product-security@apple.com
2018.4.2 Apple automatic reply
2018.4.3 Apple responded that they confirmed this issue
2018.5.24 Apple responded that they discovered an additional affected component, postponing patch releases.
2018.6.27 Apple responded that the issue had already been fixed, the security update is targeted for release the week of July 09, 2018.
2018.7.4 Apple responded that they had assigned CVE-2018-4277 to the issue
2018.7.9 Apple advisory Updated
2018.11. vulnerability disclosure.