logo

Insufficient Visual Distinction of Homoglyphs Presented to User

Incomplete Base
Structure: Simple
Description

This vulnerability occurs when an application shows text or symbols to users without clearly distinguishing between characters that look identical or very similar (called homoglyphs). Because users can't easily tell these characters apart, they might misinterpret information and accidentally perform unsafe actions, like clicking a malicious link.

Extended Description

Homoglyphs are different characters that appear identical or nearly identical on screen. For example, a lowercase 'L' and an uppercase 'i' can look the same in many fonts, and the Latin 'A' is visually identical to the Greek 'Alpha'. While software treats these as completely different characters, users can't see the difference, creating a gap between what the system understands and what the user perceives. Attackers exploit this visual ambiguity to trick users. A common method is creating deceptive phishing links or hostnames that mimic trusted sites. Similarly, an attacker might register a username like 'Admin' (with a Cyrillic 'A') that looks identical to the real 'Admin' account, making malicious activity harder to spot in system logs. This highlights a critical need for interfaces to help users visually distinguish between potentially confusing characters.
Common Consequences 1
Scope: IntegrityConfidentiality

Impact: Other

An attacker may ultimately redirect a user to a malicious website, by deceiving the user into believing the URL they are accessing is a trusted domain. However, the attack can also be used to forge log entries by using homoglyphs in usernames. Homoglyph manipulations are often the first step towards executing advanced attacks such as stealing a user's credentials, Cross-Site Scripting (XSS), or log forgery. If an attacker redirects a user to a malicious site, the attacker can mimic a trusted domain to steal account credentials and perform actions on behalf of the user, without the user's knowledge. Similarly, an attacker could create a username for a website that contains homoglyph characters, making it difficult for an admin to review logs and determine which users performed which actions.
Detection Methods 1
Manual Dynamic AnalysisModerate
If utilizing user accounts, attempt to submit a username that contains homoglyphs. Similarly, check to see if links containing homoglyphs can be sent via email, web browsers, or other mechanisms.
Potential Mitigations 2
Phase: Implementation
Use a browser that displays Punycode for IDNs in the URL and status bars, or which color code various scripts in URLs. Due to the prominence of homoglyph attacks, several browsers now help safeguard against this attack via the use of Punycode. For example, Mozilla Firefox and Google Chrome will display IDNs as Punycode if top-level domains do not restrict which characters can be used in domain names or if labels mix scripts for different languages.
Phase: Implementation
Use an email client that has strict filters and prevents messages that mix character sets to end up in a user's inbox. Certain email clients such as Google's GMail prevent the use of non-Latin characters in email addresses or in links contained within emails. This helps prevent homoglyph attacks by flagging these emails and redirecting them to a user's spam folder.
Demonstrative Examples 2
The following looks like a simple, trusted URL that a user may frequently access.

Code Example:

Attack
bash
However, the URL above is comprised of Cyrillic characters that look identical to the expected ASCII characters. This results in most users not being able to distinguish between the two and assuming that the above URL is trusted and safe. The "e" is actually the "CYRILLIC SMALL LETTER IE" which is represented in HTML as the character е, while the "a" is actually the "CYRILLIC SMALL LETTER A" which is represented in HTML as the character а. The "p", "c", and "o" are also Cyrillic characters in this example. Viewing the source reveals a URL of "http://www.еxаmрlе.соm". An adversary can utilize this approach to perform an attack such as a phishing attack in order to drive traffic to a malicious website.
The following displays an example of how creating usernames containing homoglyphs can lead to log forgery.
Assume an adversary visits a legitimate, trusted domain and creates an account named "admin", except the 'a' and 'i' characters are Cyrillic characters instead of the expected ASCII. Any actions the adversary performs will be saved to the log file and look like they came from a legitimate administrator account.

Code Example:

Result
bash
Upon closer inspection, the account that generated three of these log entries is "аdmіn". Only the third log entry is by the legitimate admin account. This makes it more difficult to determine which actions were performed by the adversary and which actions were executed by the legitimate "admin" account.
Observed Examples 7
CVE-2013-7236web forum allows impersonation of users with homoglyphs in account names
CVE-2012-0584Improper character restriction in URLs in web browser
CVE-2009-0652Incomplete denylist does not include homoglyphs of "/" and "?" characters in URLs
CVE-2017-5015web browser does not convert hyphens to punycode, allowing IDN spoofing in URLs
CVE-2005-0233homoglyph spoofing using punycode in URLs and certificates
CVE-2005-0234homoglyph spoofing using punycode in URLs and certificates
CVE-2005-0235homoglyph spoofing using punycode in URLs and certificates
References 2
Writing Secure Code
Michael Howard and David LeBlanc
Microsoft Press
04-12-2002
https://www.microsoftpressstore.com/store/writing-secure-code-9780735617223
ID: REF-7
The 2011 IDN Homograph Attack Mitigation Survey
Gregory Baatard and Peter Hannay
ECU Publications
2012
https://ro.ecu.edu.au/cgi/viewcontent.cgi?article=1174&context=ecuworks2012
ID: REF-8
Likelihood of Exploit

Medium

Applicable Platforms
Languages:
Not Language-Specific : Undetermined
Technologies:
Web Based : Sometimes
Modes of Introduction
Architecture and Design
Implementation
Related Attack Patterns
Alternate Terms

Homograph Attack

"Homograph" is often used as a synonym of "homoglyph" by researchers, but according to Wikipedia, a homograph is a word that has multiple, distinct meanings.
Related Weaknesses
ChildOf: User Interface (UI) Misrepresentation of Critical Information (CWE-451)