Web browser vulnerability puts web users at risk of phishing attacks
27 April 2017
Even the most careful Internet users could be at risk from a recently identified phishing attack, which a Chinese infosec researcher has described as “almost impossible to detect”.
It has been warned that hackers can use a known vulnerability in the Chrome, Firefox and Opera web browsers to display their fake domains as legitimate websites, such as Google, Amazon or Apple, to steal information from users.
It would be difficult to identify the website as fraudulent because the web address displays the HTTPS secure symbol.
You can check if your browser is vulnerable to this attack by visiting this demo web page.
When you visit the demo page, if your web browser is displaying “apple.com” in the address bar secured with SSL (usually a padlock icon), but the content on the page is coming from another server, then your browser is vulnerable to the homograph attack.
How does the attack work?
A homograph attack is a type of spoofing attack where the website looks legitimate but it is not because a character or characters in the URL have been replaced with Unicode characters.
Many Unicode characters may look the same as Latin letters to the casual eye, but they are treated differently by computers. For example, the Cyrillic “a” and Latin “a” are treated differently by web browsers, but are displayed as “a” in the browser address.
Many web browsers use a type of special encoding called “Punycode” to convert Unicode characters to the limited set of ASCII (A-Z, 0-9) characters supported by the International Domain Names (IDNs) systems, and protect against homograph phishing attacks.
However, a loophole means that if someone chooses all characters for a domain name from a single foreign language character set, resembling exactly the same as the targeted domain, then web browsers will render it in the same language instead of Punycode format.
This loophole allowed researchers the domain name xn—80ak6aa92e.com which appears as “apple.com” on all vulnerable web browsers. Xudong Zheng, the researcher who identified the vulnerability, has written about the attack in detail in a blog post here.
How can I protect myself?
You can protect yourself against this vulnerability by following the instructions below to disable the vulnerability on affected web browsers.
Google has patched the vulnerability on the latest version (v. 58), so you will need to update to this version if you have not done so already.
To update Google Chrome, please follow these steps:
- Open Google Chrome on your computer
- Click the burger icon (3 dots) in the top right hand corner
- Then click “Update Google Chrome”
- Finally click “Relaunch”
Note: If you can’t see “Update Google Chrome” then you’re on the latest version
Currently there is no patch for this web browser, but there is a workaround to protect yourself from this vulnerability
- Open Mozilla Firefox on your computer
- Type about:config in the address bar
- Click “I accept the risk”
- Type “punycode” into the search bar
- Change the value to “True”
There is currently no patch for this web browser, and there is no workaround such as with Firefox.
We would recommend using an alternative browser such as Google Chrome, to protect yourself, until Opera release a patch.
There have been no vulnerabilities reports on the following browsers: Internet Explorer, Microsoft Edge, Apple Safari, Brave and Vivaldi.
Remember to carefully check any email which contains links or attachments before you click on anything within the message. We recommend that users manually type website URLs into the address bar for important sites like email, social networks or banking, instead of clicking on a link contained within an email, to prevent against such attacks