Download Firefox

Firefox is no longer supported on Windows 8.1 and below.

Please download Firefox ESR (Extended Support Release) to use Firefox.

Firefox is no longer supported on macOS 10.14 and below.

Please download Firefox ESR (Extended Support Release) to use Firefox.

Firefox Privacy Notice

Mozilla Foundation Security Advisory 2009-15

URL spoofing with box drawing character

Announced
April 21, 2009
Reporter
Bjoern Hoehrmann, Moxie Marlinspike
Impact
Low
Products
Firefox, SeaMonkey, Thunderbird
Fixed in
  • Firefox 3.0.9
  • SeaMonkey 1.1.15
  • Thunderbird 2.0.0.21

Description

Bjoern Hoehrmann and security researcher Moxie Marlinspike independently reported that Unicode box drawing characters were allowed in Internationalized Domain Names (IDN) where they could be visually confused with punctuation used in valid web addresses. This could be combined with a phishing-type scam to trick a victim into thinking they were on a different website than they actually were.

References