98831 – Kopete users vulnerable to Unicode URL phishing

Bug 98831 - Kopete users vulnerable to Unicode URL phishing

Summary: Kopete users vulnerable to Unicode URL phishing

Status:	RESOLVED NOT A BUG

Alias:	None

Product:	kopete
Classification:	Applications
Component:	general (show other bugs)
Version:	unspecified
Platform:	Mandrake RPMs Linux

Importance:	NOR normal
Target Milestone:	---
Assignee:	Kopete Developers

URL:
Keywords:

Depends on:
Blocks:

Reported:	2005-02-08 09:54 UTC by Neal Pitts
Modified:	2005-02-08 13:35 UTC (History)
CC List:	0 users

See Also:
Latest Commit:
Version Fixed In:

Attachments
Add an attachment

Note You need to log in before you can comment on or make changes to this bug.

Description Neal Pitts 2005-02-08 09:54:39 UTC

Version:            (using KDE KDE 3.3.2)
Installed from:    Mandrake RPMs
OS:                Linux

I was testing my browsers for IDN phishing vulnerabilities (http://secunia.com/multiple_browsers_idn_spoofing_test) when I decided to copy/paste the test URL (http://www.paypаl.com/) into Kopete.  Not only did everything look "normal", but the proper link destination was preserved.  I found libidn.so.11 was dynamically linked to my version of Kopete... Is that where the problem originates?

I understand the likely fix is better user education, but I wanted to report the problem to be safe.

Comment 1 Olivier Goffart 2005-02-08 11:56:37 UTC

Kopete use khtml to render content, the "problem" is in khml.  And isn't the konqueror team aware of security audit of secunia ?

The only solution for that is a correct https authentification. because there will always be possible to do a url which looks like paypal, paypa1 paypaI payqal  peypal or whatever .

Comment 2 Thiago Macieira 2005-02-08 13:35:03 UTC

Exactly what I said in Bug #98788. This is a KDE-wide "problem".