Google has rushed out a fix in Chrome 58, released yesterday, for what it calls an Internationalized Domain Name (IDN) homographic attack that used Cyrillic characters that look identical to Latin characters.
Web developer Xudong Zheng demonstrated the issue in Chrome 57 and Firefox 52 by registering the domain xn--80ak6aa92e.com which appeared in the both browsers’ address bar as apple.com. Security firm Wordfence also registered the domain xn--e1awd7f.com which looks like epic.com. Phishing attackers could have used the this to spam users with bogus links to Apple's website with a high chance that recipients would view the site with Chrome.
The attack makes use of the punycode system for converting non-Latin characters into ASCII encoding. The system itself supports web users of non-Latin languages by allowing people to register domains using A-Z characters and have the browser represent the domain to local users in, say, Chinese or other other scripts. As Zheng pointed out, the domain "xn--s7y.co" is equivalent to "短.co".
Register or Login to continue
This article is only available for subscribers. Sign up now for free and get free access to premium content from ARN, CIO, CSO, CMO, Computerworld, and PC World.