Skip to content

April 17, 2017

Google is fixing a Chrome flaw that makes phishing easy

by John_A

As we’ve seen in the past, a strong password doesn’t automatically make people safe online. Often, a specially-crafted email is all that it takes for someone to hand over their digital life to a malicious third party. Although email services are doing more to filter phishing emails before they reach your inbox, a decades-old unicode technique is making it hard for users to determine whether a destination is legitimate. Fortunately, Microsoft Edge, Internet Explorer and Safari are immune and Google is just days away from patching the flaw.

Thanks to something called Punycode, phishers are able to register bogus domains that look identical to a real website. Take this proof-of-concept from software engineer Xudong Zheng, where apple.com won’t take you to a store selling Macs, iPhones and iPads. The real website is actually https://www.xn--80ak6aa92e.com.

The xn-- prefix tells browsers like Chrome that the domain uses ASCII compatible encoding. It allows companies and individuals from countries with non-traditional alphabets to register a domain that contains A-Z characters but renders in their local language. For example, the domain “xn--s7y.co” would appear as “短.co” in Chinese browsers.

The issue was first reported to Google and Mozilla on January 20th and Google has issued a fix in Chrome 59. It’s currently live in the Canary (advance beta release) but the search giant will likely make it available to all Chrome users soon.

Firefox users, on the other hand, may have to take things into their own hands. Mozilla is still undecided as to whether it will implement a dedicated patch. For now, users can plug about:config into the address bar and change the network.IDN_show_punycode attribute to true. That enables Firefox to show international domains in their Punycode form, making it easier to detect whether a website is phony.

Source: Wordfence, Xudong Zheng

Advertisements
Read more from News

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Note: HTML is allowed. Your email address will never be published.

Subscribe to comments

%d bloggers like this: