Invisible character bug - no warnings

Someone on twitter going by @ledegend_eth (ledegened.eth) has discovered quite a serious bus that scammers will start to use very quickly no doubt.

“busy submitting bug reports. managed to successfully register undetectable hidden character domains. this not good”

They have managed to register a domain with hidden characters, successfully impersonating 0000.eth, without any warnings on any website being displayed for it. Opensea even categorises it as being in the 10k club!

Here’s a link to the opensea item:
https://opensea.io/assets/ethereum/0x57f1887a8BF19b14fC0dF6Fd9B2acc9Af147eA85/55238440828741901086954412487065650333399353573786767621428045863332448413780

Devs pls fix…

This was already fixed a while ago on the ENS side actually. See the ENS metadata service response here: https://metadata.ens.domains/mainnet/0x57f1887a8BF19b14fC0dF6Fd9B2acc9Af147eA85/55238440828741901086954412487065650333399353573786767621428045863332448413780

{"message":"TokenID of the query does not match with labelhash of 0000.eth"}

So it’s correct on the ENS side, it’s just the marketplace website being slow to delist. The metadata response is a 404 so ideally they should not list the name in the first place.

Hmm. It seems it’s listed on every marketplace except ens.vision.

How long ago was it fixed? Do you have a link to any discussions?

It was reported by @lcfr.eth almost a year ago I think, and done through the proper private channels, by e-mailing bugs@ens.domains.

FYI OpenSea has delisted it now https://opensea.io/assets/ethereum/0x57f1887a8BF19b14fC0dF6Fd9B2acc9Af147eA85/55238440828741901086954412487065650333399353573786767621428045863332448413780

Oh yes it does seem delisted now… I wonder if they did it manually or not.
Anyway, thanks for your replies.

This is a reversion of the bug reported by lcfr. He reported it again, and we’ve since re-fixed it. We’re putting in place mitigations to make sure it can’t happen again.