The vulnerabilities, found by researcher Xudong Zheng, makes phishing attacks easier by creating a spoof website with an URL that looks the same as the real thing.
Punycode is a way of representing Unicode, the standard text encoding method by which computers encode non-Roman languages such as Arabic or Mandarin and characters with accents such as “ü” and “â”. With Punycode, URLs containing Unicode characters are displayed as ASCII (character encoding standard) characters consisting of letters, digits, and hyphens.
The issue here is the fact that similar characters are practically impossible to distinguish from each other. While a Cyrillic small letter “a” (Unicode character U+0430) is different from a Latin small letter “a” (U+0061), Punycode exploits the vulnerable browser and as a result, the characters look the same. Thus, the owner of a certain the domain name could create a convincing phishing site.
“Visually, the two domains are indistinguishable due to the font used by Chrome and Firefox. As a result, it becomes impossible to identify the site as fraudulent without carefully inspecting the site’s URL or SSL certificate,” writes Zheng.
Zheng was kind enough to set up a test page at https://www.xn--80ak6aa92e.com/ for those who wish to check how their browser interprets a Punycode site. If the URL reads “https://apple.com”, this unfortunately means the browser is vulnerable.
The vulnerability is nothing new in the tech world, with the risk being identified going all the way back in pre-internet days. However, it’s somewhat disappointing, if not frustrating, to see that major browsers still can’t make a distinction between Punycode and Unicode domains by default, especially with the recently increasing number of phishing attacks.
Zheng reported his findings to the makers of three browsers with only Google promising a fix for Chrome. Opera and Mozilla decided the matter is something that domain registrars should tackle. Until the issue resolves, Chrome and Firefox users can limit their exposure by going to
about:config and changing
- Swedish people want their train to be called ‘Trainy McTrainface’ - July 20, 2017
- Netherlands police aim to solve crimes by handing out cold-case calendars to prisoners - July 20, 2017
- Malaysian government bans ‘Despacito’ on state radio and television channels - July 20, 2017
- New Zealand gangs organize ‘fight club’ to reduce tensions between rivals - July 19, 2017
- Self-defense flamethrowers now for sale in China - July 19, 2017
- US general warns of dangers of uncontrollable killer robots - July 19, 2017
- Flood water enters bank’s vault, destroys all the money - July 18, 2017
- Fake street cleaners plague Saudi streets - July 18, 2017
- Russia is fine with Chechnya leader’s call for gay purge - July 18, 2017
- Flight evacuated after passenger “passes gas” - July 17, 2017