With a specially crafted web page, an attacker can redirect a www browser to the page, which URL (on the address bar) resembles an arbitrary domain choosen by the attacker. It is possible due to the fact, that apple safari supports IDNs - http://en.wikipedia.org/wiki/Internationalized_domain_name - and some of the UTF8 font glyphs embedded in the safari, could be used to create an URL which contains whitespaces. http://alt.swiecki.net/saft1.html The picture taken on my system: http://alt.swiecki.net/idn.png Tested with Apple Safari 3.0.2 (522.13.1) on MS Windows 2003 SE SP2 -- Robert Swiecki http://www.swiecki.net
