Chrome, Firefox, and Opera users vulnerable to Unicode domain phishing attacks

Password managers to the rescue!

David bisson
David Bisson
@

Chrome, Firefox, and Opera users vulnerable to Unicode domain phishing attacks

Attackers can evade a security mechanism and abuse Unicode domains to phish for the login credentials of Chrome, Firefox, and Opera users.

Security researcher Xudong Zheng has developed a proof-of-concept that exploits an issue in some web browsers. You can try it for yourself by clicking here. (Don’t worry. Nothing bad will happen.)

By clicking on the link, you’ll see this text in your display window.

Screen shot 2017 04 17 at 10.05.27 am

Now look closely at the address bar. Does it look like it reads “https://www.аррlе.com/”? If so, you’re using a browser that’s vulnerable to what’s known as an internationalized domain name (IDN) homograph attack.

In English, please!

A IDN homograph attack exploits the fact that characters used in a single or multiple writing systems look similar to one another when displayed by web browsers. For instance, a Latin C looks similar to a Cyrillic C, while just in the Latin alphabet alone, two uppercase “i’s” look the same as two lowercase “l’s”. In 2015, a security researcher demonstrated this latter similarity with respect to Lloyds Bank.

So what’s the point?

In a web browser, each character is unique. Two domains might look the same, but if they use the letter “c” from two different writing systems, they’ll direct users to two different locations on the web.

Sign up to our free newsletter.
Security news, advice, and tips.

Attackers can abuse this sleight of hand to redirect users to phishing websites. All they need to do is use Punycode, which relies on ASCII characters to convey foreign characters.  The Punycode domain “xn--pple-43d.com” is equivalent to “apple.com”, for example. As long as a web browser translates the Punycode into what’s known as Unicode (in this case, “apple.com”), attackers can trick users into entering their login credentials on what they think is Apple’s legitimate site.

Web browsers have seen these attacks target their users in the past. They’ve responded by introducing measures that display the Punycode instead of Unicode when a domain uses characters from multiple writing systems. But those safeguards don’t protect against all Punycode-based phishing attacks.

Zheng confirms as much in a blog post:

“Chrome’s (and Firefox’s) homograph protection mechanism unfortunately fails if every characters is replaced with a similar character from a single foreign language. The domain ‘аррӏе.com’, registered as ‘xn--80ak6aa92e.com’, bypasses the filter by only using Cyrillic characters…. In many instances, the font in Chrome and Firefox makes the two domains visually indistinguishable. It becomes impossible to identify the site as fraudulent without carefully inspecting the site’s URL or SSL certificate.”

A502b06561524ec740ec6e8cb11fbd931f6fb219f42a0be6de275f97d44a514a

At this time, Chrome, Firefox, and Opera appear to display the “apple.com” Unicode with the researcher’s proof-of-concept. Internet Explorer, Microsoft Edge, Safari, and others don’t appear affected.

The security researcher has reached out to Google and Mozilla about fixing the issue in their web browsers. The former intends to roll out a fix for the bug at the end of April, whereas the latter is currently discussing the issue. Firefox can users can protect themselves in the meantime by visiting about:config and setting network.IDN_show_punycode to true.

With that said, users of every web browser can protect themselves by using a password manager that comes with browser extensions. These programs automatically enter in login credentials for the actual domains to which they’re linked. Therefore, if they detect a domain that looks like but isn’t “apple.com,” they won’t automatically authenticate a user.


David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Tripwire's "The State of Security" blog.

6 comments on “Chrome, Firefox, and Opera users vulnerable to Unicode domain phishing attacks”

  1. S. Sahu

    Thanks very much. I use FF 52.0.2 and have changed the network.IDN_show_punycode value to True. (Got a stern-looking warning, though, when I opened about.config. Ha.)

  2. Dennis

    Thank you for this notification. I have made the change as suggested.

  3. Hayton

    In Chrome I see, in the address bar, "https://www.xn--80ak6aa92e.com/"

    In Firefox, "https://www.аррӏе.com/"

    Interesting. I'll make the suggested change to FF settings.

  4. David L
  5. JIm Goodyear

    In the 'Brave' Browser i see the following:

    https://www.xn--80ak6aa92e.com/

    after having pressed your link.

    If i read the info correctly, this means that this browser is not prone to the weakness explained.

    Is that correct ?

    1. Bob · in reply to JIm Goodyear

      You're correct. If you see that, you're safe.

      It's also been fixed in Google Chrome now (version 58.0.3029.81).

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.