Many popular browsers, including Firefox, Chrome and Opera, have a vulnerability that makes phishing attacks easier.
The vulnerability lies in the ease with which an attacker can create a spoof website with a URL that looks exactly the same as the real thing. It relies on the way that many browsers interpret Punycode.
Punycode is a way of representing Unicode, the standard method by which computers encode text of non-Roman languages such as Arabic or Mandarin and accented characters such as “ü”. Using Punycode, URLs containing Unicode characters are represented as ASCII characters consisting of letters, digits and hyphens.
The problem arises in the fact that similar characters are hard to distiguish from each other. While a Cyrillic small letter “a” (Unicode character U+0430) is different from a Latin small letter “a” (U+0061), in a vulnerable browser they look the same when the Punycode is interpreted. Therefore, the owner of the domain name xn--80ak6aa92e.com, which is displayed as “apple.com” could create a convincing phishing site.
The vulnerability was highlighted by researcher Xudong Zheng who has set up a test page at https://www.xn--80ak6aa92e.com/ for users to check how their browser interprets a Punycode site. If the URL reads “https://apple.com”, this means the browser is vulnerable.
“Visually, the two domains are indistinguishable due to the font used by Chrome and Firefox. As a result, it becomes impossible to identify the site as fraudulent without carefully inspecting the site’s URL or SSL certificate,” writes Zheng.
The act of taking advantage of this vulnerability is known as an internationalised domain name (IDN) homograph attack – or more simply as a homograph spoofing attack.
The vulnerability is nothing new, with the risk being identified in pre-internet days. In 2010 a spoof PayPal website was set up to demonstrate the danger of fakes, in which the Cyrillic characters “raural.com” were shown to be represented as “paypal.com” in browsers.
However, with the rise in phishing attacks in recent times it is disappointing that major browsers still don’t distinguish between Punycode and Unicode domains by default.
Zheng reported his findings to Google, who have promised a fix for Chrome. He has also contacted Opera and Mozilla, although the latter apparently decided it is something that domain registrars should tackle.
In the meantime, Chrome and Firefox users can limit their exposure by going to
about:config and changing
Join Computing in London on 4 May for the Cyber Security Strategy Briefing 2017 for the Financial Sector.
Speakers include Adam Koleda, IT director of insurance firm BPL Global; Peter Agathangelou, associate director of Hamilton Fraser Insurance; and, Dr Kuan Hon, consultant lawyer at law firm Pinsent Masons.
Attendance is free to qualifying IT professionals and IT leaders – register now!