Chrome, Firefox, and Opera users vulnerable to Unicode domain phishing attacks

Password managers to the rescue!

Chrome, Firefox, and Opera users vulnerable to Unicode domain phishing attacks

Attackers can evade a security mechanism and abuse Unicode domains to phish for the login credentials of Chrome, Firefox, and Opera users.

Security researcher Xudong Zheng has developed a proof-of-concept that exploits an issue in some web browsers. You can try it for yourself by clicking here. (Don't worry. Nothing bad will happen.)

By clicking on the link, you'll see this text in your display window.

Screen shot 2017 04 17 at 10.05.27 am

Now look closely at the address bar. Does it look like it reads "https://www.аррlе.com/"? If so, you're using a browser that's vulnerable to what's known as an internationalized domain name (IDN) homograph attack.

In English, please!

A IDN homograph attack exploits the fact that characters used in a single or multiple writing systems look similar to one another when displayed by web browsers. For instance, a Latin C looks similar to a Cyrillic C, while just in the Latin alphabet alone, two uppercase "i's" look the same as two lowercase "l's". In 2015, a security researcher demonstrated this latter similarity with respect to Lloyds Bank.

So what's the point?

In a web browser, each character is unique. Two domains might look the same, but if they use the letter "c" from two different writing systems, they'll direct users to two different locations on the web.

Attackers can abuse this sleight of hand to redirect users to phishing websites. All they need to do is use Punycode, which relies on ASCII characters to convey foreign characters.  The Punycode domain "xn--pple-43d.com" is equivalent to "apple.com", for example. As long as a web browser translates the Punycode into what's known as Unicode (in this case, "apple.com"), attackers can trick users into entering their login credentials on what they think is Apple's legitimate site.

Web browsers have seen these attacks target their users in the past. They've responded by introducing measures that display the Punycode instead of Unicode when a domain uses characters from multiple writing systems. But those safeguards don't protect against all Punycode-based phishing attacks.

Zheng confirms as much in a blog post:

"Chrome's (and Firefox's) homograph protection mechanism unfortunately fails if every characters is replaced with a similar character from a single foreign language. The domain 'аррӏе.com', registered as 'xn--80ak6aa92e.com', bypasses the filter by only using Cyrillic characters.... In many instances, the font in Chrome and Firefox makes the two domains visually indistinguishable. It becomes impossible to identify the site as fraudulent without carefully inspecting the site's URL or SSL certificate."

A502b06561524ec740ec6e8cb11fbd931f6fb219f42a0be6de275f97d44a514a

At this time, Chrome, Firefox, and Opera appear to display the "apple.com" Unicode with the researcher's proof-of-concept. Internet Explorer, Microsoft Edge, Safari, and others don't appear affected.

The security researcher has reached out to Google and Mozilla about fixing the issue in their web browsers. The former intends to roll out a fix for the bug at the end of April, whereas the latter is currently discussing the issue. Firefox can users can protect themselves in the meantime by visiting about:config and setting network.IDN_show_punycode to true.

With that said, users of every web browser can protect themselves by using a password manager that comes with browser extensions. These programs automatically enter in login credentials for the actual domains to which they're linked. Therefore, if they detect a domain that looks like but isn't "apple.com," they won't automatically authenticate a user.

Tags: , , , , , ,

Smashing Security audio podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

Subscribe to the free GCHQ newsletter

, , , , , ,

6 Responses

  1. S. Sahu

    April 18, 2017 at 10:27 am #

    Thanks very much. I use FF 52.0.2 and have changed the network.IDN_show_punycode value to True. (Got a stern-looking warning, though, when I opened about.config. Ha.)

  2. Dennis

    April 18, 2017 at 12:16 pm #

    Thank you for this notification. I have made the change as suggested.

  3. Hayton

    April 18, 2017 at 2:40 pm #

    In Chrome I see, in the address bar, "https://www.xn--80ak6aa92e.com/"

    In Firefox, "https://www.аррӏе.com/"

    Interesting. I'll make the suggested change to FF settings.

  4. David L

    April 18, 2017 at 5:27 pm #

    Thanks, Fixed!!!

  5. JIm Goodyear

    April 19, 2017 at 5:50 pm #

    In the 'Brave' Browser i see the following:

    https://www.xn--80ak6aa92e.com/

    after having pressed your link.

    If i read the info correctly, this means that this browser is not prone to the weakness explained.

    Is that correct ?

    • Bob in reply to JIm Goodyear.

      April 19, 2017 at 9:43 pm #

      You're correct. If you see that, you're safe.

      It's also been fixed in Google Chrome now (version 58.0.3029.81).

Leave a Reply