Blog
Web browser vulnerability puts web users at risk of phishing attacks
April 27th, 2017
Even the most careful Internet users could be at risk from a recently identified phishing attack, which a Chinese infosec researcher has described as “almost impossible to detect”.
It has been warned that hackers can use a known vulnerability in the Chrome, Firefox and Opera web browsers to display their fake domains as legitimate websites, such as Google, Amazon or Apple, to steal information from users.
It would be difficult to identify the website as fraudulent because the web address displays the HTTPS secure symbol.
You can check if your browser is vulnerable to this attack by visiting this demo web page.
When you visit the demo page, if your web browser is displaying “apple.com” in the address bar secured with SSL (usually a padlock icon), but the content on the page is coming from another server, then your browser is vulnerable to the homograph attack.
How does the attack work?
A homograph attack is a type of spoofing attack where the website looks legitimate but it is not because a character or characters in the URL have been replaced with Unicode characters.
Many Unicode characters may look the same as Latin letters to the casual eye, but they are treated differently by computers. For example, the Cyrillic “a” and Latin “a” are treated differently by web browsers, but are displayed as “a” in the browser address.
Many web browsers use a type of special encoding called “Punycode” to convert Unicode characters to the limited set of ASCII (A-Z, 0-9) characters supported by the International Domain Names (IDNs) systems, and protect against homograph phishing attacks.
However, a loophole means that if someone chooses all characters for a domain name from a single foreign language character set, resembling exactly the same as the targeted domain, then web browsers will render it in the same language instead of Punycode format.
This loophole allowed researchers the domain name xn—80ak6aa92e.com which appears as “apple.com” on all vulnerable web browsers. Xudong Zheng, the researcher who identified the vulnerability, has written about the attack in detail in a blog post here.
How can I protect myself?
You can protect yourself against this vulnerability by following the instructions below to disable the vulnerability on affected web browsers.
Google Chrome
Google has patched the vulnerability on the latest version (v. 58), so you will need to update to this version if you have not done so already.
To update Google Chrome, please follow these steps:
- Open Google Chrome on your computer
- Click the burger icon (3 dots) in the top right hand corner
- Then click “Update Google Chrome”
- Finally click “Relaunch”
Note: If you can’t see “Update Google Chrome” then you’re on the latest version
Mozilla Firefox
Currently there is no patch for this web browser, but there is a workaround to protect yourself from this vulnerability
- Open Mozilla Firefox on your computer
- Type about:config in the address bar
- Click “I accept the risk”
- Type “punycode” into the search bar
- Change the value to “True”
Opera
There is currently no patch for this web browser, and there is no workaround such as with Firefox.
We would recommend using an alternative browser such as Google Chrome, to protect yourself, until Opera release a patch.
Other browsers
There have been no vulnerabilities reports on the following browsers: Internet Explorer, Microsoft Edge, Apple Safari, Brave and Vivaldi.
Remember to carefully check any email which contains links or attachments before you click on anything within the message. We recommend that users manually type website URLs into the address bar for important sites like email, social networks or banking, instead of clicking on a link contained within an email, to prevent against such attacks
NEXT>> What is malware?
What is IT outsourcing?
IT outsourcing is the practice of using an external service provider to deliver some or all of the IT functions required by a business including managing infrastructure, directing strategy and running the service desk. IT outsourcing providers can take full responsibility for all IT maintenance and support, this is called a fully managed service, or […]
What is the difference between email archiving and email backup?
Corporate emails are important records of business decisions, communications and information; and, just like paper documents, you must secure and store them properly. This is where an email archiving solution can assist, but many companies may believe they already store records correctly – by backing up their mailboxes on a regular basis. There is often […]
How careful planning can take the pain out of ransomware breach response
There is plenty that organisations can do to enhance their resilience to ransomware breaches. But no preventative strategy can ever be 100% guaranteed to succeed. The modern corporate attack surface is simply too porous and expansive, and threat actors too persistent, for that. That’s why network defenders should also be primed and ready for a […]