How I Stole imguʀ.com And Pwned The World

I was up early, checking my twitter feed, and I came across this.

They were a bunch of guys who decided to take letters in a domain name, and convert them to unicode. So they look visually the same, although they are actually completely different. I decided to give this a go.

Hot Damn

I hopped over to the Hompglyph Attack Generator, put in imgur, and found a close enough match. Then I hopped on over to my favourite registrar and registered it.

Here is what it looks like i.imguʀ.com/ai8sch.jpg

Don’t worry, there isn’t some sketchy 0day or IP logger on there. I promise. I’m from the internet, you can trust me.

You may notice that when you copy and paste that into your URL bar, it will automatically resolve to i.imguʀ.com, that in fact is the domain I actually registered. These are known as unicode domains. They are supported by major browsers. A legitimate use of these would be emoji’s in the url.

I picked Imgur as people often use it to share images over IRC. If you throw in a link without a https:// prefix, they will just copy and paste it.

In fact, I tried it in the IRC and several people tried the link. It looks pretty innocent and would catch many people out. Thus, I hope this short overview of the potential for this attack is enough to help you keep your eyes open!

Keep Nullin’ :stuck_out_tongue:

- pry0cc

17 Likes

Further findings. On a terminal client, http://i.imguʀ.com/ai8sch.jpg, doesn’t highlight correctly. However on the webchat, the whole thing highlights and operates correctly. In fact, any website containing these thinks works.

2 Likes

This is pretty cool. I’d be interested to see some data about how many people fall for this and what OS they use. Bet it’ll be a lotta Windows users!

3 Likes

and that’s just imgur, imagine what it’d do with all the farmville players clicking fасеbοοk.com (its not registered yet i think)

3 Likes

The big caveot is that when you click it, it turns into the actual domain. So it misleads to the click, after that it may not function too well.

Who’s going to look at the address bar if everything is as expected? Most people probably won’t think much of it even if they notice.

1 Like

Hello there, first of all: Excellent read, great PoC! Very informative.

I decided to test how the domain name interacts with emails and will post my results below:

(By “Nickname” I am referring to the “Name” you could select, in this example it would be “[email protected]”, the supposed email of the actual domain owner.)

Gmail:
- Preview shows the “Nickname” eg: [email protected] (non-unicode, the ‘actual owner’ of the domain)
- Actual mail shows the “Nickname” and the Unicode email eg: [email protected]ʀ.com (unicode)

Outlook:
- Preview shows the “Nickname”
- Actual mail shows the “Nickname” and the translated email eg: [email protected]ʀ.com

AOL (lol):
-Preview shows the “Nickname”
- Actual mail shows the “Nickname”, when you press “Show details” it displays the translated mail eg: [email protected]ʀ.com

IRC (Weechat):
- http://i.imguʀ.com actually displays the url correctly, you can even click on it directly

Discord:
- The URL displays correctly, and when your unicode domain, redirects to the original domain in the DNS records, the preview lists the preview of the original domain
(When the DNS records do not redirect to the original site, it displays the spoofed preview, for example the i.imguʀ.com preview, displays pry0cc’s preview page)

Edit: Added Discord results.
(I hope I wasn’t too confusing, if anything is unclear, feel free to ask me for more info!)

Kind regards,

Melanu

6 Likes

So it seems gmail is still vulnerable!

Good job on your research @melanu!

1 Like

Thank you and indeed, it’s pretty a serious phishing threat.

BTW, Whatsapp and Signal both seem vulnerable, only the underline looks a bit weird.
Tested on iOS 10

2 Likes

Works on android too. SMS could prove very powerful as well.

3 Likes

This is cool, I have to try it.

This topic was automatically closed after 30 days. New replies are no longer allowed.