The vulnerabilities, found by researcher Xudong Zheng, makes phishing attacks easier by creating a spoof website with an URL that looks the same as the real thing.
Punycode is a way of representing Unicode, the standard text encoding method by which computers encode non-Roman languages such as Arabic or Mandarin and characters with accents such as “ü” and “â”. With Punycode, URLs containing Unicode characters are displayed as ASCII (character encoding standard) characters consisting of letters, digits, and hyphens.
The issue here is the fact that similar characters are practically impossible to distinguish from each other. While a Cyrillic small letter “a” (Unicode character U+0430) is different from a Latin small letter “a” (U+0061), Punycode exploits the vulnerable browser and as a result, the characters look the same. Thus, the owner of a certain the domain name could create a convincing phishing site.
“Visually, the two domains are indistinguishable due to the font used by Chrome and Firefox. As a result, it becomes impossible to identify the site as fraudulent without carefully inspecting the site’s URL or SSL certificate,” writes Zheng.
Zheng was kind enough to set up a test page at https://www.xn--80ak6aa92e.com/ for those who wish to check how their browser interprets a Punycode site. If the URL reads “https://apple.com”, this unfortunately means the browser is vulnerable.
The vulnerability is nothing new in the tech world, with the risk being identified going all the way back in pre-internet days. However, it’s somewhat disappointing, if not frustrating, to see that major browsers still can’t make a distinction between Punycode and Unicode domains by default, especially with the recently increasing number of phishing attacks.
Zheng reported his findings to the makers of three browsers with only Google promising a fix for Chrome. Opera and Mozilla decided the matter is something that domain registrars should tackle. Until the issue resolves, Chrome and Firefox users can limit their exposure by going to
about:config and changing
- Navy destroyer USS John S. McCain collides with oil tanker, 10 sailors missing - August 21, 2017
- German man swims to work to avoid traffic congestion - August 10, 2017
- Saudi Arabia jails singer for dabbing during concert - August 9, 2017
- South Carolina police issues a plea to residents not to shoot Bigfoot - August 9, 2017
- Man disguises himself as car seat, pretends to be ‘self-driving car’ - August 8, 2017
- Irish MP blames fairy curse for problems with road - August 8, 2017
- Chinese restaurant gives discounts based on bra size - August 8, 2017
- Airport offers service for transporting maids to employers’ doors - August 7, 2017
- Airbnb refuses to provide accommodation for Nazis - August 7, 2017
- Prince of Denmark refuses to be buried by his wife due to title row - August 4, 2017