Page MenuHomePhabricator
Create Task
Maniphest T353100

Should Toolforge allow internationalized domain names / Punycode in tool names, or have some protection against homograph attacks?
Closed, ResolvedPublicSecurity
Actions

Description

Toolforge currently permits tool names to contain Punycode, so that the tool URL can be an internationalized domain name; this is currently used by two redirect-only tools:

In theory, this feature can be abused for homograph attacks. Is this something we’re concerned about in a tool name? Should we prevent it in tool registrations (e.g. in Striker, or by adding xn-- to the Wikitech title blacklist)? Or should we leave the matter to browsers? (Neither Firefox nor Chrome actually show either of the above URLs in encoded form, for example.)

Details

Risk Rating
Low
Author Affiliation
Wikimedia Communities

Related Objects

Event Timeline

LucasWerkmeister created this task.Dec 9 2023, 3:27 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptDec 9 2023, 3:27 PM
LucasWerkmeister triaged this task as Low priority.Dec 9 2023, 3:30 PM
LucasWerkmeister added a project: Toolforge.
LucasWerkmeister added subscribers: bd808, TheresNoTime.

(Boldly lowering the priority to indicate that I don’t think this is a pressing issue, just something I wondered about which [as far as I can tell] wasn’t discussed on Phabricator before. T336584 previously discussed the unicorn party redirect tool, but not as a security-relevant concern.)

bd808 closed this task as Resolved.Dec 9 2023, 7:57 PM
bd808 claimed this task.

I have added a rule to block creation of such names at https://wikitech.wikimedia.org/w/index.php?title=MediaWiki:Titleblacklist&diff=prev&oldid=2134298. Maintainers wishing to register punycode names in the future can request an exception for their desired name. Humans can review that to determine if there is any likelihood of end-user confusion as a result be that a homograph attack or something else. The two legacy names identified by @LucasWerkmeister have been added at https://wikitech.wikimedia.org/w/index.php?title=MediaWiki:Titlewhitelist&diff=prev&oldid=2134300 to retroactively comply with the new policy.

Restricted Application added a project: User-bd808. · View Herald TranscriptDec 9 2023, 7:57 PM
bd808 added a comment.Dec 9 2023, 8:00 PM

Security-Team: please make this ticket publicly viewable now that this theoretical social engineering attack vector has been mitigated.

LucasWerkmeister added a comment.Dec 10 2023, 12:37 PM

Alright, thanks!

sbassett edited projects, added SecTeam-Processed, Vuln-Misconfiguration; removed Security-Team.Dec 11 2023, 5:05 PM
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".
sbassett changed the edit policy from "Custom Policy" to "All Users".
sbassett changed Risk Rating from N/A to Low.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits