Attackers can evade a security mechanism and abuse Unicode domains to phish for the login credentials of Chrome, Firefox, and Opera users.
Security researcher Xudong Zheng has developed a proof-of-concept that exploits an issue in some web browsers. You can try it for yourself by clicking here. (Don’t worry. Nothing bad will happen.)
By clicking on the link, you’ll see this text in your display window.
Now look closely at the address bar. Does it look like it reads “https://www.аррlе.com/”? If so, you’re using a browser that’s vulnerable to what’s known as an internationalized domain name (IDN) homograph attack.
In English, please!
A IDN homograph attack exploits the fact that characters used in a single or multiple writing systems look similar to one another when displayed by web browsers. For instance, a Latin C looks similar to a Cyrillic C, while just in the Latin alphabet alone, two uppercase “i’s” look the same as two lowercase “l’s”. In 2015, a security researcher demonstrated this latter similarity with respect to Lloyds Bank.
So what’s the point?
In a web browser, each character is unique. Two domains might look the same, but if they use the letter “c” from two different writing systems, they’ll direct users to two different locations on the web.
Attackers can abuse this sleight of hand to redirect users to phishing websites. All they need to do is use Punycode, which relies on ASCII characters to convey foreign characters. The Punycode domain “xn--pple-43d.com” is equivalent to “apple.com”, for example. As long as a web browser translates the Punycode into what’s known as Unicode (in this case, “apple.com”), attackers can trick users into entering their login credentials on what they think is Apple’s legitimate site.
Web browsers have seen these attacks target their users in the past. They’ve responded by introducing measures that display the Punycode instead of Unicode when a domain uses characters from multiple writing systems. But those safeguards don’t protect against all Punycode-based phishing attacks.
Zheng confirms as much in a blog post:
“Chrome’s (and Firefox’s) homograph protection mechanism unfortunately fails if every characters is replaced with a similar character from a single foreign language. The domain ‘аррӏе.com’, registered as ‘xn--80ak6aa92e.com’, bypasses the filter by only using Cyrillic characters…. In many instances, the font in Chrome and Firefox makes the two domains visually indistinguishable. It becomes impossible to identify the site as fraudulent without carefully inspecting the site’s URL or SSL certificate.”
At this time, Chrome, Firefox, and Opera appear to display the “apple.com” Unicode with the researcher’s proof-of-concept. Internet Explorer, Microsoft Edge, Safari, and others don’t appear affected.
The security researcher has reached out to Google and Mozilla about fixing the issue in their web browsers. The former intends to roll out a fix for the bug at the end of April, whereas the latter is currently discussing the issue. Firefox can users can protect themselves in the meantime by visiting about:config
and setting network.IDN_show_punycode
to true.
With that said, users of every web browser can protect themselves by using a password manager that comes with browser extensions. These programs automatically enter in login credentials for the actual domains to which they’re linked. Therefore, if they detect a domain that looks like but isn’t “apple.com,” they won’t automatically authenticate a user.
Thanks very much. I use FF 52.0.2 and have changed the network.IDN_show_punycode value to True. (Got a stern-looking warning, though, when I opened about.config. Ha.)
Thank you for this notification. I have made the change as suggested.
In Chrome I see, in the address bar, "https://www.xn--80ak6aa92e.com/"
In Firefox, "https://www.аррӏе.com/"
Interesting. I'll make the suggested change to FF settings.
Thanks, Fixed!!!
In the 'Brave' Browser i see the following:
https://www.xn--80ak6aa92e.com/
after having pressed your link.
If i read the info correctly, this means that this browser is not prone to the weakness explained.
Is that correct ?
You're correct. If you see that, you're safe.
It's also been fixed in Google Chrome now (version 58.0.3029.81).