URL spoofing with invalid unicode characters
- June 11, 2009
- Pavel Cvrcek
- Fixed in
- Firefox 3.0.11
Mozilla add-on developer Pavel Cvrcek reported that certain invalid unicode characters, when used as part of an IDN, are displayed as whitespace in the location bar. This whitespace could be used to force part of the URL out of view in the location bar. An attacker could use this vulnerability to spoof the location bar and display a misleading URL for their malicious web page.