Slashdot Mirror

← Back to Stories (view on slashdot.org)

Chrome 59 To Address Punycode Phishing Attack

Posted by msmash on from the patching-things dept.

Google says it will be rolling out a patch to Chrome in v59 to address a decade-old unicode vulnerability called Punycode that allowed attackers to fool people into clicking on compromised links. Engadget adds: Thanks to something called Punycode, phishers are able to register bogus domains that look identical to a real website. Take this proof-of-concept from software engineer Xudong Zheng, where apple.com won't take you to a store selling Macs, iPhones and iPads. The real website is actually https://www.xn--80ak6aa92e [dot] com. The xn-- prefix tells browsers like Chrome that the domain uses ASCII compatible encoding. It allows companies and individuals from countries with non-traditional alphabets to register a domain that contains A-Z characters but renders in their local language. The issue was first reported to Google and Mozilla on January 20th and Google has issued a fix in Chrome 59. It's currently live in the Canary (advance beta release) but the search giant will likely make it available to all Chrome users soon.

2 of 69 comments (clear)

  1. Ooh, I get to complain about the Slashdot post qua by Kiwikwi · · Score: 4, Informative

    Horrible summary... Punycode is an encoding, not a vulnerability. The vulnerability is a variant of the well-known homograph attack.

    The original source explains it better: https://www.xudongz.com/blog/2...

  2. Firefox config switch by Jason69 · · Score: 5, Informative

    In Firefox / about:config set: network.IDN_show_punycode;true