Web browser vulnerability puts web users at risk of phishing attacks
Last updated on April 15th, 2020
Even the most careful Internet users could be at risk from a recently identified phishing attack, which a Chinese infosec researcher has described as “almost impossible to detect”.
It has been warned that hackers can use a known vulnerability in the Chrome, Firefox and Opera web browsers to display their fake domains as legitimate websites, such as Google, Amazon or Apple, to steal information from users.
It would be difficult to identify the website as fraudulent because the web address displays the HTTPS secure symbol.
You can check if your browser is vulnerable to this attack by visiting this demo web page.
When you visit the demo page, if your web browser is displaying “apple.com” in the address bar secured with SSL (usually a padlock icon), but the content on the page is coming from another server, then your browser is vulnerable to the homograph attack.
How does the attack work?
A homograph attack is a type of spoofing attack where the website looks legitimate but it is not because a character or characters in the URL have been replaced with Unicode characters.
Many Unicode characters may look the same as Latin letters to the casual eye, but they are treated differently by computers. For example, the Cyrillic “a” and Latin “a” are treated differently by web browsers, but are displayed as “a” in the browser address.
Many web browsers use a type of special encoding called “Punycode” to convert Unicode characters to the limited set of ASCII (A-Z, 0-9) characters supported by the International Domain Names (IDNs) systems, and protect against homograph phishing attacks.
However, a loophole means that if someone chooses all characters for a domain name from a single foreign language character set, resembling exactly the same as the targeted domain, then web browsers will render it in the same language instead of Punycode format.
This loophole allowed researchers the domain name xn—80ak6aa92e.com which appears as “apple.com” on all vulnerable web browsers. Xudong Zheng, the researcher who identified the vulnerability, has written about the attack in detail in a blog post here.
How can I protect myself?
You can protect yourself against this vulnerability by following the instructions below to disable the vulnerability on affected web browsers.
Google has patched the vulnerability on the latest version (v. 58), so you will need to update to this version if you have not done so already.
To update Google Chrome, please follow these steps:
- Open Google Chrome on your computer
- Click the burger icon (3 dots) in the top right hand corner
- Then click “Update Google Chrome”
- Finally click “Relaunch”
Note: If you can’t see “Update Google Chrome” then you’re on the latest version
Currently there is no patch for this web browser, but there is a workaround to protect yourself from this vulnerability
- Open Mozilla Firefox on your computer
- Type about:config in the address bar
- Click “I accept the risk”
- Type “punycode” into the search bar
- Change the value to “True”
There is currently no patch for this web browser, and there is no workaround such as with Firefox.
We would recommend using an alternative browser such as Google Chrome, to protect yourself, until Opera release a patch.
There have been no vulnerabilities reports on the following browsers: Internet Explorer, Microsoft Edge, Apple Safari, Brave and Vivaldi.
Remember to carefully check any email which contains links or attachments before you click on anything within the message. We recommend that users manually type website URLs into the address bar for important sites like email, social networks or banking, instead of clicking on a link contained within an email, to prevent against such attacks
Sevens reasons for outsourced IT support failure
While IT outsourcing can deliver numerous benefits to your business, like all large projects, the move is never guaranteed to be risk-free. You only need to look a few years back to find some big-name failures caused by a failed outsourcing relationship – The UK Border Agency, BSkyB, the Child Support Agency and the Royal […]
10 signs you should switch IT support provider right now
Switching IT support provider is not a decision to be taken lightly but it is often a decision born from necessity rather than from choice. The perceived pain of changing support providers often paralyses businesses – leading them to endure the inept service until things become too costly to continue. Often, the incompetence of a […]
Tips for managing multiple devices for IT teams
BYOD, CYOD, IaaS and SaaS may have been buried under waves of new acronyms, but although they’re buried, they can’t be forgotten. These four acronyms changed the way businesses’ networks are structured, they multiplied the complexity of connectivity, they incited the development of mobile apps for traditionally desktop software and, along with cloud, gave life […]