Chrome, Firefox and Opera vulnerable to Punycode phishing attack
Note: this is a reprint of April 20, 2017, The Inquirer. The original announcement can be found here.
SECURITY RESEARCHERS have sounded the alarm bells and warned that Firefox, Chrome and Opera, have a vulnerability that makes phishing attacks easier.
The vulnerability lies in the ease with which an attacker can create a spoof website with a URL that looks exactly the same as the real thing. It relies on the way that many browsers interpret Punycode.
Punycode is a way of representing Unicode, the standard method by which computers encode text of non-Roman languages such as Arabic or Mandarin and accented characters such as "ü". Using Punycode, URLs containing Unicode characters are represented as ASCII characters consisting of letters, digits and hyphens.
The problem arises in the fact that similar characters are hard to distiguish from each other. While a Cyrillic small letter "a" (Unicode character U+0430) is different from a Latin small letter "a" (U+0061), in a vulnerable browser they look the same when the Punycode is interpreted. Therefore, the owner of the domain name xn--80ak6aa92e.com, which is displayed as "apple.com" could create a convincing phishing site.
The vulnerability was highlighted by researcher Xudong Zheng who has set up a test page at https://www.xn--80ak6aa92e.com/ for users to check how their browser interprets a Punycode site. If the URL reads "https://apple.com", this means the browser is vulnerable.
"Visually, the two domains are indistinguishable due to the font used by Chrome and Firefox. As a result, it becomes impossible to identify the site as fraudulent without carefully inspecting the site's URL or SSL certificate," writes Zheng.
The act of taking advantage of this vulnerability is known as an internationalised domain name (IDN) homograph attack - or more simply as a homograph spoofing attack.
The vulnerability is nothing new, with the risk being identified in pre-internet days. In 2010 a spoof PayPal website was set up to demonstrate the danger of fakes, in which the Cyrillic characters "raural.com" were shown to be represented as "paypal.com" in browsers.
However, with the rise in phishing attacks in recent times it is disappointing that major browsers still don't distinguish between Punycode and Unicode domains by default.
Zheng reported his findings to Google, who have promised a fix for Chrome. He has also contacted Opera and Mozilla, although the latter apparently decided it is something that domain registrars should tackle.
In the meantime, Chrome and Firefox users can limit their exposure by going to about:config and changing network.IDN_show_punycode to true. µ
In The News is brought to you by WinMill Software, the premier resource for systems development and integration, expert consulting, quality assurance, technology infrastructure, and software resale. For more information, contact a WinMill Account Manager at firstname.lastname@example.org or 1-888-711-MILL (6455).