You are here: Security Center > Mozilla Foundation Security Advisories > MFSA 2009-15

Mozilla Foundation Security Advisory 2009-15

Title: URL spoofing with box drawing character
Impact: Low
Announced: April 21, 2009
Reporter: Bjoern Hoehrmann, Moxie Marlinspike
Products: Firefox, Thunderbird, SeaMonkey

Fixed in: Firefox 3.0.9
  SeaMonkey 1.1.15


Bjoern Hoehrmann and security researcher Moxie Marlinspike independently reported that Unicode box drawing characters were allowed in Internationalized Domain Names (IDN) where they could be visually confused with punctuation used in valid web addresses. This could be combined with a phishing-type scam to trick a victim into thinking they were on a different website than they actually were.