An old domain parsing loophole could make browsers like Chrome and Firefox vulnerable to undetectable phishing attacks, according to a recent report.
Discovered by Xudong Zheng, a web application developer, the vulnerability in question is a type of a homograph attack. This is a process where a malicious party may deceive users regarding the server or website they are communicating with, by exploiting the fact that many Unicode characters look alike.
Zheng explains further:
From a security perspective, Unicode domains can be problematic because many Unicode characters are difficult to distinguish from common ASCII characters. It is possible to register domains such as "xn--pple-43d.com", which is equivalent to "аpple.com". It may not be obvious at first glance, but "аpple.com" uses the Cyrillic "а" (U+0430) rather than the ASCII "a" (U+0041).
Given the possible confusions it could cause, Punycode was introduced as a new standard for internet host names, representing Unicode text using ASCII characters. For example, the domain "xn--s7y.co" is translated to Punycode as "短.co".
With this in mind, he explains that the loophole could easily be exploited for phishing attacks. To test it out, he registered a domain using one of the many Unicode families with different variations.
In Zheng's example, xn-80ak6aa92e[.]com is rendered as аррӏе[.]com (in Cyrillic characters). Looking at the rendered link would easily fool anyone, even those that are already knowledgeable about phishing attacks. He found that Chrome and Opera failed the test, with the two browsers displaying the fake apple[.]com link.
However, in BleepingComputer's testing, they found that Internet Explorer, Edge, Vivaldi, and Brave displayed the original link. This would mean that opening phishing links in said browsers would not disguise the sketchy URL.
Zheng stated that he has contacted Google, which has acknowledged the issue. It has been patched in Chrome Canary 59, and the stable version will receive the fix later this month. Mozilla, however, is still working on an official patch.
Source: Xudong Zheng via BleepingComputer
6 Comments - Add comment