Full Report
Fonts can include ligatures - special case specific combinations of letters. For instance, an "f" and an "i" combine into "fi" nicely. The bug reporter noticed that Google Sans, used in the domain of the Chrome browser, includes many long ligatures that could be used for domain spoofing. glogoligatureoogle gets mapped to google for instance. That's pretty terrifying! The bug report triager found lots of other cases where this happens as well besides this one. The triager decided to rate this as a high because of the spoofing effects of the bug. For this, they got 10K and a 5K bonus for the uniqueness of the finding. To fix it, they disabled the usage of hostnames containing ligatures. Super crazy finding! UI vulnerabilities like this are pretty rare so this was fun to see.
Analysis Summary
Since the provided context describes a vulnerability found and fixed internally but **does not assign a formal CVE ID, CVSS score, specific product versions, or public PoC details,** the summary will reflect this lack of public disclosure data based *only* on the provided context.
# Vulnerability: Domain Spoofing via Font Ligatures in Hostnames
## CVE Details
- CVE ID: **Not publicly assigned in context**
- CVSS Score: **High (Based on Triager assessment)** ([Score N/A])
- CWE: **CWE-20: Improper Input Validation / CWE-116: Improper Encoding or Escaping of Output** (Inferred, related to UI/representation)
## Affected Systems
- Products: **Google Chrome browser domain rendering/UI** (Specifically related to displaying hostnames/URLs)
- Versions: **Not specified in context** (Likely fixed versions present in the associated Chromium release)
- Configurations: **Any configuration using font rendering that supports ligatures for domain display.**
## Vulnerability Description
The vulnerability exists because font rendering engines, specifically used in the UI representation of domain names within the Chrome browser, incorrectly handle or display Unicode ligatures. Certain sequences of characters (e.g., 'f' followed by 'i') combine into a single visual glyph ('fi' ligature). The reporter found that specific domains used the Google Sans font (or similar) which contained many long ligatures that, when rendered, visually resembled legitimate domains (e.g., "glogoligatureoogle" mapping visually to "google"). This allows attackers to create visually deceptive domain representations for phishing or spoofing.
## Exploitation
- Status: **PoC likely existed for internal testing, but public status unknown.** (Described as a "Super crazy finding!")
- Complexity: **Medium** (Requires knowledge of specific font ligatures and domain structure)
- Attack Vector: **Adjacent/Network** (Relies on the user viewing a manipulated URL served by an adversary)
## Impact
- Confidentiality: **Medium to High** (If user is tricked into entering credentials on a spoofed site)
- Integrity: **Medium to High** (If user is misled regarding the site identity)
- Availability: **Low** (No direct denial of service described)
## Remediation
### Patches
- **Fix implemented: Disabled the usage of hostnames containing font ligatures.** (Specific patch version/commit ID is not provided in context.)
### Workarounds
- **None publicly specified, but potential workarounds include:**
* Disabling font feature setting (if possible within the specific renderer settings).
* Using alternate browser engines or older versions without the fix (not recommended).
## Detection
- **Indicators of compromise:** Visual discrepancies in domain names shown in the address bar, particularly looking for combined character glyphs that look too 'smooth' or unusual in common domain names.
- **Detection methods and tools:** Static analysis of font rendering pipeline for ligature substitution logic within URL displays.
## References
- Vendor Advisories: **Not specified (Internal Chromium finding)**
- Relevant links: **Article context only**