Rocksolid Light

Welcome to novaBBS

register   nodelist   faq  

Your account also provides newsreader access to all groups at news.i2pn2.org port 119 or 563 (TLS)


rocksolid / Security / Re: 2 year old phishing vuln still open

SubjectAuthor
* 2 year old phishing vuln still openAnonUser
`- Re: 2 year old phishing vuln still openAnonUser

1
Subject: 2 year old phishing vuln still open
From: AnonU...@rslight.i2p (AnonUser)
Newsgroups: rocksolid.shared.security
Organization: Rocksolid Light
Date: Sun, 10 Nov 2019 22:08 UTC
Path: i2pn2.org!rocksolid2!.POSTED.localhost!not-for-mail
From: AnonU...@rslight.i2p (AnonUser)
Newsgroups: rocksolid.shared.security
Subject: 2 year old phishing vuln still open
Date: Sun, 10 Nov 2019 22:08:23 -0000 (UTC)
Organization: Rocksolid Light
Message-ID: <e559a77f9fe0122e609f566061d1f4cf$1@rslight.i2p>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
Injection-Date: Sun, 10 Nov 2019 22:08:23 -0000 (UTC)
Injection-Info: novabbs.com; posting-account="retrobbs1"; posting-host="localhost:127.0.0.1";
logging-data="6346"; mail-complaints-to="usenet@novabbs.com"
User-Agent: rslight (http://news.novabbs.com)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on novabbs.com
X-Rslight-Site: $2y$10$jvHZGW/CjaMuzZ7zdxYRz.WeqwiqnaE9yD01t19POL/9uYegwCjPe
View all headers
https://thehackernews.com/2017/04/unicode-Punycode-phishing-attack.html

I tested that with tbb and firefox and sure enough, both were vulnerable.

this domain here:
https://xn--80ak6aa92e.com/
displays as https://apple.com

I guess ssl on the whole is just fucked, even if this one here is not linked directly to it. Wonder if this could work with onion addresses as well ?
--
Posted on Rocksolid Light



Subject: Re: 2 year old phishing vuln still open
From: anonu...@retrobbs.rocksolidbbs.com.remove-p1r-this (AnonUser)
Newsgroups: rocksolid.shared.security
Organization: RetroBBS
Date: Sun, 10 Nov 2019 23:59 UTC
Path: i2pn2.org!rocksolid3!.POSTED.localhost!not-for-mail
From: anonu...@retrobbs.rocksolidbbs.com.remove-p1r-this (AnonUser)
Newsgroups: rocksolid.shared.security
Subject: Re: 2 year old phishing vuln still open
Date: Sun, 10 Nov 2019 23:59:37 +0000
Organization: RetroBBS
Message-ID: <3ad1b68f40b4ea63b1aab4ab1b36be2c$1@retrobbs.i2p>
References: <e559a77f9fe0122e609f566061d1f4cf$1@rslight.i2p>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
Injection-Info: rocksolidbbs.com; posting-host="localhost:127.0.0.1";
logging-data="7881"; mail-complaints-to="usenet@rocksolidbbs.com"
User-Agent: rslight (http://news.novabbs.com)
To: AnonUser
X-Comment-To: AnonUser
In-Reply-To: <e559a77f9fe0122e609f566061d1f4cf$1@rslight.i2p>
X-FTN-PID: Synchronet 3.17a-Linux Dec 29 2018 GCC 6.3.0
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on rocksolidbbs.com
X-Rslight-Site: $2y$10$DT3SgorDnCRvnygH8K3scOmlbBs/tZTbkDTtipQpfnrpDNgDgkOzW
X-Gateway: retrobbs.rocksolidbbs.com [Synchronet 3.17a-Linux NewsLink 1.110]
View all headers
  To: AnonUser
This is terrible design...

Wonder if this could work with onion addresses as well ?
Doubt it. I think Tor can only resolve onion hashes and the browser would translate the utf8 to the punycode equivalent and try to pass that to Tor. Tor would then not be able to resolve that hash.

This would only partially work for registered I2P domain names but not the b32 hash.

If you enter xn--80ak6aa92e.i2p into your I2P browser right now, it will translate it to "apple.i2p" but it isn't in your addressbook so it will ask if you want to use a jump service. There you get two options (with I2PD):

inr.i2p:
http://joajgazyztfssty4w2on5oaqksz6tqoxbduy553y34mf4byv6gpq.b32.i2p/search/?q=xn--80ak6aa92e.i2p
stats.i2p:
http://7tbay5p4kzeekxvyvbf6v7eauazemsnnl2aoyqhg5jzpr5eke7tq.b32.i2p/cgi-bin/jump.cgi?a=xn--80ak6aa92e.i2p

If you follow stats.i2p then it displays the punycode in the error "Your attempt to jump to "xn--80ak6aa92e.i2p" failed", so I assume it would do the same on success. Though if it is successful at finding it, then IIRC it will automatically jump after a few seconds while displaying something like "found ${insert hostname}! redirecting..." so it would work with someone not paying attention. With inr.i2p I don't know, because you would have to register xn--80ak6aa92e.i2p for it to show up in the list to find out.

Maybe someone is curious enough to set up an eepsite and register it to find out :).
--
Posted on RetroBBS



1
rocksolid light 0.6.6
clearnet i2p tor