Web browser vulnerability puts web users at risk of phishing attacks
Last updated on April 15th, 2020
Even the most careful Internet users could be at risk from a recently identified phishing attack, which a Chinese infosec researcher has described as “almost impossible to detect”.
It has been warned that hackers can use a known vulnerability in the Chrome, Firefox and Opera web browsers to display their fake domains as legitimate websites, such as Google, Amazon or Apple, to steal information from users.
It would be difficult to identify the website as fraudulent because the web address displays the HTTPS secure symbol.
You can check if your browser is vulnerable to this attack by visiting this demo web page.
When you visit the demo page, if your web browser is displaying “apple.com” in the address bar secured with SSL (usually a padlock icon), but the content on the page is coming from another server, then your browser is vulnerable to the homograph attack.
How does the attack work?
A homograph attack is a type of spoofing attack where the website looks legitimate but it is not because a character or characters in the URL have been replaced with Unicode characters.
Many Unicode characters may look the same as Latin letters to the casual eye, but they are treated differently by computers. For example, the Cyrillic “a” and Latin “a” are treated differently by web browsers, but are displayed as “a” in the browser address.
Many web browsers use a type of special encoding called “Punycode” to convert Unicode characters to the limited set of ASCII (A-Z, 0-9) characters supported by the International Domain Names (IDNs) systems, and protect against homograph phishing attacks.
However, a loophole means that if someone chooses all characters for a domain name from a single foreign language character set, resembling exactly the same as the targeted domain, then web browsers will render it in the same language instead of Punycode format.
This loophole allowed researchers the domain name xn—80ak6aa92e.com which appears as “apple.com” on all vulnerable web browsers. Xudong Zheng, the researcher who identified the vulnerability, has written about the attack in detail in a blog post here.
How can I protect myself?
You can protect yourself against this vulnerability by following the instructions below to disable the vulnerability on affected web browsers.
Google has patched the vulnerability on the latest version (v. 58), so you will need to update to this version if you have not done so already.
To update Google Chrome, please follow these steps:
- Open Google Chrome on your computer
- Click the burger icon (3 dots) in the top right hand corner
- Then click “Update Google Chrome”
- Finally click “Relaunch”
Note: If you can’t see “Update Google Chrome” then you’re on the latest version
Currently there is no patch for this web browser, but there is a workaround to protect yourself from this vulnerability
- Open Mozilla Firefox on your computer
- Type about:config in the address bar
- Click “I accept the risk”
- Type “punycode” into the search bar
- Change the value to “True”
There is currently no patch for this web browser, and there is no workaround such as with Firefox.
We would recommend using an alternative browser such as Google Chrome, to protect yourself, until Opera release a patch.
There have been no vulnerabilities reports on the following browsers: Internet Explorer, Microsoft Edge, Apple Safari, Brave and Vivaldi.
Remember to carefully check any email which contains links or attachments before you click on anything within the message. We recommend that users manually type website URLs into the address bar for important sites like email, social networks or banking, instead of clicking on a link contained within an email, to prevent against such attacks
How to protect personal data and comply with GDPR
In order to comply with the GDPR, organisations must implement appropriate technical measures that ensure compliance. This is established under Article 32, which delineates the GDPR’s “security of processing standards”, and is required of both data controllers and data processors. When implementing this measures the Regulation does state that “the state of the art and […]
9 tips for successful IT outsourcing
IT outsourcing is not a new business strategy, but its use has been increasing across the globe in the past few years. Some companies rely on a single service provider for all their IT requirements, others opt for multi-sourcing – the practice of using multiple vendors to manage different IT functions. Alternatively is the hybrid model […]
8 IT security mistakes law firms make
The IT security landscape and the threats faced by law firms have changed little in the last 20 years. The nature of these threats, however, has changed drastically and many firms are yet to catch up. While the old hackers typically hacked for fun, interest and challenge – the main driver for the modern hacker […]