Boing Boing: Shmoo Group exploit: 0wn any domain, no defense exists

Published on:

Boing Boing: Shmoo Group exploit: 0wn any domain, no defense exists:

"Shmoo Group exploit: 0wn any domain, no defense exists
Pablos sez, 'Shmoocon ended today. And just to prove The Shmoo Group wasn't sitting on their asses for the entire time while planning the con - A new exploit was demo'd by EricJ that left all jaws our on the floor. Want to own ANY domain? Want a trusted SSL cert for it? Check it out here. We 0wnz0rd PayPal, but left the rest for you. We have no idea how to fix this and neither do the browser developers. Official advisory here. Phishing attacks of doom coming soon.' Link (Thanks, Pablos!)"

The author claims it works in everything except IE. I tested it on my Mac today, and it doesn't work in NetNewsWire, though it works with Safari, which is weird.

One Boing Boing reader gives a workaround for users of Firefox:

1) Goto your Firefox address bar. Enter about:config and press enter. Firefox will load the (large!) config page.

2) Scroll down to the line beginning network.enableIDN -- this is International Domain Name support, and it is causing the problem here. We want to turn this off -- for now. Ideally we want to support international domain names, but not with this problem.

3) Double-click the network.enableIDN label, and Firefox will show a dialog set to 'true'. Change it to 'false' (no quotes!), click Ok. You are done.

4) Go check out the shmoo demo again and notice it no longer works.

I hope Apple will do something about this in Safari.