CWE-1007 Detail

CWE-1007

Name

Insufficient Visual Distinction of Homoglyphs Presented to User

Likelihood

Medium

Status

Incomplete

Published

2017-11-08
00h00 +00:00

Modified

2023-06-29
00h00 +00:00

Official links

CWE Mitre.org

Notifications for a CWE

Stay informed of any changes for a specific CWE.

Notifications manage

List of Notifications

Notifications for a CWE

Stay informed of any changes for a specific CWE.

Parameters

You can specify a title that will be retrieved in the alerts that will be sent out.

Specify the CWE ID you wish to monitor.

Planning

Month

Next run calculation

Day

Weekday

Hour

Minute

Creation date

Last execution

Next execution

Functionality requiring a connection

This feature, which allows you to receive alerts, is only active when you are logged into your account.

Name: Insufficient Visual Distinction of Homoglyphs Presented to User

The product displays information or identifiers to a user, but the display mechanism does not make it easy for the user to distinguish between visually similar or identical glyphs (homoglyphs), which may cause the user to misinterpret a glyph and perform an unintended, insecure action.

CWE Description

Some glyphs, pictures, or icons can be semantically distinct to a program, while appearing very similar or identical to a human user. These are referred to as homoglyphs. For example, the lowercase "l" (ell) and uppercase "I" (eye) have different character codes, but these characters can be displayed in exactly the same way to a user, depending on the font. This can also occur between different character sets. For example, the Latin capital letter "A" and the Greek capital letter "Α" (Alpha) are treated as distinct by programs, but may be displayed in exactly the same way to a user. Accent marks may also cause letters to appear very similar, such as the Latin capital letter grave mark "À" and its equivalent "Á" with the acute accent.

Adversaries can exploit this visual similarity for attacks such as phishing, e.g. by providing a link to an attacker-controlled hostname that looks like a hostname that the victim trusts. In a different use of homoglyphs, an adversary may create a back door username that is visually similar to the username of a regular user, which then makes it more difficult for a system administrator to detect the malicious username while reviewing logs.

General Informations

Modes Of Introduction

Architecture and Design : This weakness may occur when characters from various character sets are allowed to be interchanged within a URL, username, email address, etc. without any notification to the user or underlying system being used.
Implementation

Applicable Platforms

Language

Class: Not Language-Specific (Undetermined)

Technologies

Class: Web Based (Sometimes)

Common Consequences

Scope	Impact	Likelihood
Integrity Confidentiality	Other Note: An attacker may ultimately redirect a user to a malicious website, by deceiving the user into believing the URL they are accessing is a trusted domain. However, the attack can also be used to forge log entries by using homoglyphs in usernames. Homoglyph manipulations are often the first step towards executing advanced attacks such as stealing a user's credentials, Cross-Site Scripting (XSS), or log forgery. If an attacker redirects a user to a malicious site, the attacker can mimic a trusted domain to steal account credentials and perform actions on behalf of the user, without the user's knowledge. Similarly, an attacker could create a username for a website that contains homoglyph characters, making it difficult for an admin to review logs and determine which users performed which actions.

Observed Examples

References	Description
CVE-2013-7236	web forum allows impersonation of users with homoglyphs in account names
CVE-2012-0584	Improper character restriction in URLs in web browser
CVE-2009-0652	Incomplete denylist does not include homoglyphs of "/" and "?" characters in URLs
CVE-2017-5015	web browser does not convert hyphens to punycode, allowing IDN spoofing in URLs
CVE-2005-0233	homoglyph spoofing using punycode in URLs and certificates
CVE-2005-0234	homoglyph spoofing using punycode in URLs and certificates
CVE-2005-0235	homoglyph spoofing using punycode in URLs and certificates

Potential Mitigations

Phases : Implementation

Use a browser that displays Punycode for IDNs in the URL and status bars, or which color code various scripts in URLs.

Due to the prominence of homoglyph attacks, several browsers now help safeguard against this attack via the use of Punycode. For example, Mozilla Firefox and Google Chrome will display IDNs as Punycode if top-level domains do not restrict which characters can be used in domain names or if labels mix scripts for different languages.

Phases : Implementation

Use an email client that has strict filters and prevents messages that mix character sets to end up in a user's inbox.

Certain email clients such as Google's GMail prevent the use of non-Latin characters in email addresses or in links contained within emails. This helps prevent homoglyph attacks by flagging these emails and redirecting them to a user's spam folder.

Detection Methods

Manual Dynamic Analysis

If utilizing user accounts, attempt to submit a username that contains homoglyphs. Similarly, check to see if links containing homoglyphs can be sent via email, web browsers, or other mechanisms.
Effectiveness : Moderate

Vulnerability Mapping Notes

Justification : This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.
Comment : Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.

Related Attack Patterns

CAPEC-ID	Attack Pattern Name
CAPEC-632	Homograph Attack via Homoglyphs An adversary registers a domain name containing a homoglyph, leading the registered domain to appear the same as a trusted domain. A homograph attack leverages the fact that different characters among various character sets look the same to the user. Homograph attacks must generally be combined with other attacks, such as phishing attacks, in order to direct Internet traffic to the adversary-controlled destinations.

References

REF-7

Writing Secure Code
Michael Howard, David LeBlanc.
https://www.microsoftpressstore.com/store/writing-secure-code-9780735617223

REF-8

The 2011 IDN Homograph Attack Mitigation Survey
Gregory Baatard, Peter Hannay.
http://ro.ecu.edu.au/cgi/viewcontent.cgi?article=1174&context=ecuworks2012

Submission

Name	Organization	Date	Date release	Version
CWE Content Team	MITRE	2017-07-24 +00:00	2017-11-08 +00:00	2.12

Modifications

Name	Organization	Date	Comment
CWE Content Team	MITRE	2018-03-27 +00:00	updated Demonstrative_Examples, Description, References
CWE Content Team	MITRE	2019-01-03 +00:00	updated Demonstrative_Examples, Description, Related_Attack_Patterns
CWE Content Team	MITRE	2020-02-24 +00:00	updated Applicable_Platforms, Relationships
CWE Content Team	MITRE	2020-06-25 +00:00	updated Observed_Examples
CWE Content Team	MITRE	2022-10-13 +00:00	updated Demonstrative_Examples
CWE Content Team	MITRE	2023-01-31 +00:00	updated Demonstrative_Examples, Description, Related_Attack_Patterns
CWE Content Team	MITRE	2023-04-27 +00:00	updated Relationships
CWE Content Team	MITRE	2023-06-29 +00:00	updated Mapping_Notes