CWE-1007: Insufficient Visual Distinction of Homoglyphs Presented to User
Learn about CWE-1007 (Insufficient Visual Distinction of Homoglyphs Presented to User), its security impact, exploitation methods, and prevention guidelines.
What is Insufficient Visual Distinction of Homoglyphs Presented to User?
• Overview: Insufficient Visual Distinction of Homoglyphs occurs when a product displays characters or symbols that look similar or identical, making it hard for users to differentiate between them, potentially leading to unintended actions.
• Exploitation Methods:
- Attackers can use visually similar characters to create deceptive URLs or domains in phishing attacks.
- Creation of user accounts or identifiers that appear legitimate but are actually malicious due to subtle visual differences.
• Security Impact:
- Users may perform unintended actions, such as visiting malicious websites or approving unauthorized access.
- Difficulty in identifying malicious actors or accounts due to visual similarity.
- Potential for significant data breaches or phishing success, leading to financial loss and reputational damage.
• Prevention Guidelines:
- Implement visual differentiation practices, such as using fonts that emphasize differences between similar characters.
- Employ text normalization techniques to ensure consistent character representation.
- Use tools and frameworks that highlight or prevent the use of homoglyphs in critical identifiers and interfaces.
Technical Details
Likelihood of Exploit:
Affected Languages: Not Language-Specific
Affected Technologies: Web Based
Vulnerable Code Example
def display_username(username):
# This function displays a username to the user.
# However, it does not handle homoglyphs, which can confuse users.
# For example, 'rn' might look like 'm', or 'α' (Greek alpha) might look like 'a',
# leading to potential phishing attacks or misidentification of usernames.
print(f"Your username is: {username}")
# Example usage
display_username("usernαme") # The 'α' is a Greek letter, not an 'a'
In this vulnerable example, the display_username function directly prints the username without any checks or transformations. This can lead to confusion if similar-looking characters (homoglyphs) are used maliciously.
How to fix Insufficient Visual Distinction of Homoglyphs Presented to User?
To address the issue of insufficient visual distinction of homoglyphs, you should:
- Normalize Input: Convert similar-looking characters to a common representation, preferably using ASCII or a restricted set of characters.
- Whitelist Characters: Allow only specific characters that are visually distinct and necessary for your application.
- User Education: Inform users about the potential risks of homoglyphs.
- Use Libraries: Utilize libraries that can help detect and mitigate homoglyph issues.
By normalizing input and using a whitelist, you can ensure that homoglyphs do not mislead users into making incorrect assumptions about the displayed information.
Fixed Code Example
import unicodedata
def normalize_username(username):
# Normalize to NFKD form and filter out non-ASCII characters
# This ensures that visually similar characters are converted to a standard form
return ''.join(
c for c in unicodedata.normalize('NFKD', username)
if c.isascii() and c.isalnum()
)
def display_username(username):
# Normalize the username to prevent homoglyph confusion
normalized_username = normalize_username(username)
print(f"Your username is: {normalized_username}")
# Example usage
display_username("usernαme") # 'α' is normalized to 'a'
In this fixed example, we use the unicodedata module to normalize the username. The normalize_username function converts input to NFKD form and filters out non-ASCII characters, reducing the risk of homoglyph confusion. By restricting the character set to alphanumeric ASCII characters, we prevent visually similar characters from being misinterpreted. This approach helps mitigate potential security issues related to homoglyphs.