The vulnerabilities, found by researcher Xudong Zheng, makes phishing attacks easier by creating a spoof website with an URL that looks the same as the real thing.
Punycode is a way of representing Unicode, the standard text encoding method by which computers encode non-Roman languages such as Arabic or Mandarin and characters with accents such as “ü” and “â”. With Punycode, URLs containing Unicode characters are displayed as ASCII (character encoding standard) characters consisting of letters, digits, and hyphens.
The issue here is the fact that similar characters are practically impossible to distinguish from each other. While a Cyrillic small letter “a” (Unicode character U+0430) is different from a Latin small letter “a” (U+0061), Punycode exploits the vulnerable browser and as a result, the characters look the same. Thus, the owner of a certain the domain name could create a convincing phishing site.
“Visually, the two domains are indistinguishable due to the font used by Chrome and Firefox. As a result, it becomes impossible to identify the site as fraudulent without carefully inspecting the site’s URL or SSL certificate,” writes Zheng.
Zheng was kind enough to set up a test page at https://www.xn--80ak6aa92e.com/ for those who wish to check how their browser interprets a Punycode site. If the URL reads “https://apple.com”, this unfortunately means the browser is vulnerable.
The vulnerability is nothing new in the tech world, with the risk being identified going all the way back in pre-internet days. However, it’s somewhat disappointing, if not frustrating, to see that major browsers still can’t make a distinction between Punycode and Unicode domains by default, especially with the recently increasing number of phishing attacks.
Zheng reported his findings to the makers of three browsers with only Google promising a fix for Chrome. Opera and Mozilla decided the matter is something that domain registrars should tackle. Until the issue resolves, Chrome and Firefox users can limit their exposure by going to
about:config and changing
- Scientists breed a baby sheep in an artificial womb - April 25, 2017
- Kaspersky backs off from suing Microsoft for anti-trust - April 25, 2017
- Google begins with the down-ranking of fake news - April 25, 2017
- Spotify aims at launching own hardware - April 24, 2017
- Larry Page’s “flying car” makes its debut - April 24, 2017
- LinkedIn reaches half a billion users - April 24, 2017
- WHO releases Global Hepatitis Report, aims to eliminate viral hepatitis by 2030 - April 21, 2017
- Uber extends its sexual harassment investigation - April 21, 2017
- Elon Musk estimates a brain-machine interface will be available in four years - April 21, 2017
- Verizon lost almost 400,000 wireless users before introducing unlimited data - April 20, 2017