Web browser vulnerability puts web users at risk of phishing attacks
April 27th, 2017
Even the most careful Internet users could be at risk from a recently identified phishing attack, which a Chinese infosec researcher has described as “almost impossible to detect”.
It has been warned that hackers can use a known vulnerability in the Chrome, Firefox and Opera web browsers to display their fake domains as legitimate websites, such as Google, Amazon or Apple, to steal information from users.
It would be difficult to identify the website as fraudulent because the web address displays the HTTPS secure symbol.
You can check if your browser is vulnerable to this attack by visiting this demo web page.
When you visit the demo page, if your web browser is displaying “apple.com” in the address bar secured with SSL (usually a padlock icon), but the content on the page is coming from another server, then your browser is vulnerable to the homograph attack.
How does the attack work?
A homograph attack is a type of spoofing attack where the website looks legitimate but it is not because a character or characters in the URL have been replaced with Unicode characters.
Many Unicode characters may look the same as Latin letters to the casual eye, but they are treated differently by computers. For example, the Cyrillic “a” and Latin “a” are treated differently by web browsers, but are displayed as “a” in the browser address.
Many web browsers use a type of special encoding called “Punycode” to convert Unicode characters to the limited set of ASCII (A-Z, 0-9) characters supported by the International Domain Names (IDNs) systems, and protect against homograph phishing attacks.
However, a loophole means that if someone chooses all characters for a domain name from a single foreign language character set, resembling exactly the same as the targeted domain, then web browsers will render it in the same language instead of Punycode format.
This loophole allowed researchers the domain name xn—80ak6aa92e.com which appears as “apple.com” on all vulnerable web browsers. Xudong Zheng, the researcher who identified the vulnerability, has written about the attack in detail in a blog post here.
How can I protect myself?
You can protect yourself against this vulnerability by following the instructions below to disable the vulnerability on affected web browsers.
Google has patched the vulnerability on the latest version (v. 58), so you will need to update to this version if you have not done so already.
To update Google Chrome, please follow these steps:
- Open Google Chrome on your computer
- Click the burger icon (3 dots) in the top right hand corner
- Then click “Update Google Chrome”
- Finally click “Relaunch”
Note: If you can’t see “Update Google Chrome” then you’re on the latest version
Currently there is no patch for this web browser, but there is a workaround to protect yourself from this vulnerability
- Open Mozilla Firefox on your computer
- Type about:config in the address bar
- Click “I accept the risk”
- Type “punycode” into the search bar
- Change the value to “True”
There is currently no patch for this web browser, and there is no workaround such as with Firefox.
We would recommend using an alternative browser such as Google Chrome, to protect yourself, until Opera release a patch.
There have been no vulnerabilities reports on the following browsers: Internet Explorer, Microsoft Edge, Apple Safari, Brave and Vivaldi.
Remember to carefully check any email which contains links or attachments before you click on anything within the message. We recommend that users manually type website URLs into the address bar for important sites like email, social networks or banking, instead of clicking on a link contained within an email, to prevent against such attacks
QuoStar announces new business unit and jobs amid growth phase
QuoStar, the business consultancy and information technology firm, has announced the launch of a new business unit, Managed Document Solutions (MDS). This development is part of a broader expansion programme, as the Bournemouth based business is on a recruitment drive to hire local candidates to fill five roles. The MDS unit will be headed up […]
In the press: Seven ways to check your telco is fit for the cloud
Carriers, telcos, CSPs all want to be cloud operators. But they need a complete structural overhaul before making that leap. When they were telcos, communications services providers (CSPs) never quite convinced the market that they could offer application services. Now they want to be cloud operators. It’s going to be a long way to go […]
In the press: Financial services firms can benefit from cloud
Financial services firms operating in the UK can now utilise cloud-based IT solutions without fear of breaking their regulatory obligations, as the Financial Conduct Authority (FCA) has issued guidance for firms outsourcing to the “cloud” and other third-party IT services stating there is “no fundamental reason” why financial services firms cannot implement cloud services. While […]