Google releases Chrome update that prevents ‘invisible’ phishing attack
Google has released version 58 of the Chrome browser. Among the changes is an update to the way the browser displays Unicode domains. This should protect against a variation of a homograph attack, which can be used for phishing.
Modern browsers protect users from such an attack in different ways, but recently researcher Xudong Zeng published a method that allows Firefox, Opera and Chrome users to present a domain name with foreign characters that looks like a legitimate domain. . The researcher demonstrated this using the Apple domain, apple.com, which is actually the domain xn--80ak6aa92e.com.
The operation of the method is related to internationalized domain names, which were created to represent characters in domains that do not occur in the Latin alphabet. These domain names are stored as ascii using punycode. That’s one way of teaching Unicode with ascii. Because it is difficult to tell the difference between some Unicode and ascii characters, it is possible to create a phishing domain that does not appear to be different from a legitimate domain.
According to Zeng, the existing protections of the said browsers do not work against his method that uses characters from a single language set, in this case Cyrillic. Google has now made a change in the Chrome 58 update, so that the researcher’s domain is still displayed as punycode. On its page on IDN policies, the company writes that the solution is “an attempt to meet the needs of the international user base while protecting against homograph attacks.”
The solution that Google has opted for shows the punycode domain for domains made up entirely of Cyrillic characters that resemble Latin characters, while the top-level domain is not an IDN. The solution therefore only works for domains such as .com, .net and .uk, according to Google. The company says it is working on additional solutions. There is a discussion at Mozilla about whether to implement a patch in Firefox; for now it seems that this is not happening. Firefox users can choose to display IDNs as punycode themselves.
Users can test if they already have the update with the fix by checking Zeng’s page in Chrome. If the url bar shows xn--80ak6aa92e.com, the browser is not susceptible to the attack.