Bug 98831

Summary: Kopete users vulnerable to Unicode URL phishing
Product: [Applications] kopete Reporter: Neal Pitts <nite_eyes>
Component: generalAssignee: Kopete Developers <kopete-bugs-null>
Status: RESOLVED NOT A BUG    
Severity: normal    
Priority: NOR    
Version: unspecified   
Target Milestone: ---   
Platform: Mandrake RPMs   
OS: Linux   
Latest Commit: Version Fixed In:

Description Neal Pitts 2005-02-08 09:54:39 UTC 
Version:            (using KDE KDE 3.3.2)
Installed from:    Mandrake RPMs
OS:                Linux

I was testing my browsers for IDN phishing vulnerabilities (http://secunia.com/multiple_browsers_idn_spoofing_test) when I decided to copy/paste the test URL (http://www.paypаl.com/) into Kopete.  Not only did everything look "normal", but the proper link destination was preserved.  I found libidn.so.11 was dynamically linked to my version of Kopete... Is that where the problem originates?

I understand the likely fix is better user education, but I wanted to report the problem to be safe.
Comment 1 Olivier Goffart 2005-02-08 11:56:37 UTC 
Kopete use khtml to render content, the "problem" is in khml.  And isn't the konqueror team aware of security audit of secunia ?

The only solution for that is a correct https authentification. because there will always be possible to do a url which looks like paypal, paypa1 paypaI payqal  peypal or whatever .
Comment 2 Thiago Macieira 2005-02-08 13:35:03 UTC 
Exactly what I said in Bug #98788. This is a KDE-wide "problem".