The vulnerabilities, found by researcher Xudong Zheng, makes phishing attacks easier by creating a spoof website with an URL that looks the same as the real thing.
Punycode is a way of representing Unicode, the standard text encoding method by which computers encode non-Roman languages such as Arabic or Mandarin and characters with accents such as “ü” and “â”. With Punycode, URLs containing Unicode characters are displayed as ASCII (character encoding standard) characters consisting of letters, digits, and hyphens.
The issue here is the fact that similar characters are practically impossible to distinguish from each other. While a Cyrillic small letter “a” (Unicode character U+0430) is different from a Latin small letter “a” (U+0061), Punycode exploits the vulnerable browser and as a result, the characters look the same. Thus, the owner of a certain the domain name could create a convincing phishing site.
“Visually, the two domains are indistinguishable due to the font used by Chrome and Firefox. As a result, it becomes impossible to identify the site as fraudulent without carefully inspecting the site’s URL or SSL certificate,” writes Zheng.
Zheng was kind enough to set up a test page at https://www.xn--80ak6aa92e.com/ for those who wish to check how their browser interprets a Punycode site. If the URL reads “https://apple.com”, this unfortunately means the browser is vulnerable.
The vulnerability is nothing new in the tech world, with the risk being identified going all the way back in pre-internet days. However, it’s somewhat disappointing, if not frustrating, to see that major browsers still can’t make a distinction between Punycode and Unicode domains by default, especially with the recently increasing number of phishing attacks.
Zheng reported his findings to the makers of three browsers with only Google promising a fix for Chrome. Opera and Mozilla decided the matter is something that domain registrars should tackle. Until the issue resolves, Chrome and Firefox users can limit their exposure by going to
about:config and changing
- Study shows fitness trackers are way off at measuring burned calories - May 26, 2017
- Couple who was trying to conceive for 17 years welcomes sextuplets - May 26, 2017
- French school to use AI to check if students are paying attention - May 26, 2017
- Russian disinformation campaign targets 39 countries - May 25, 2017
- Lyft introduces a luxury service in five US cities - May 25, 2017
- Google’s Go-playing AI defeats world champion - May 25, 2017
- FEC official demands inquiry into ‘foreign money’ spent on Facebook election ads - May 24, 2017
- Your PC can be hacked through subtitle files - May 24, 2017
- Wacken Open Air to have a beer pipeline - May 24, 2017
- Facebook defends its content policy after recent guidelines leak - May 23, 2017