Google is fixing a Chrome flaw that makes phishing easy
As we’ve seen in the past, a strong password doesn’t automatically make people safe online. Often, a specially-crafted email is all that it takes for someone to hand over their digital life to a malicious third party. Although email services are doing more to filter phishing emails before they reach your inbox, a decades-old unicode technique is making it hard for users to determine whether a destination is legitimate. Fortunately, Microsoft Edge, Internet Explorer and Safari are immune and Google is just days away from patching the flaw.
Thanks to something called Punycode, phishers are able to register bogus domains that look identical to a real website. Take this proof-of-concept from software engineer Xudong Zheng, where apple.com won’t take you to a store selling Macs, iPhones and iPads. The real website is actually https://www.xn--80ak6aa92e.com.
The xn-- prefix tells browsers like Chrome that the domain uses ASCII compatible encoding. It allows companies and individuals from countries with non-traditional alphabets to register a domain that contains A-Z characters but renders in their local language. For example, the domain “xn--s7y.co” would appear as “短.co” in Chinese browsers.
The issue was first reported to Google and Mozilla on January 20th and Google has issued a fix in Chrome 59. It’s currently live in the Canary (advance beta release) but the search giant will likely make it available to all Chrome users soon.
Firefox users, on the other hand, may have to take things into their own hands. Mozilla is still undecided as to whether it will implement a dedicated patch. For now, users can plug about:config into the address bar and change the network.IDN_show_punycode attribute to true. That enables Firefox to show international domains in their Punycode form, making it easier to detect whether a website is phony.
Source: Wordfence, Xudong Zheng