Unicode flaw in Chrome and Firefox aids phishing

Phishers can use a known vulnerability in the Chrome and Firefox web browsers to display domain names using Unicode characters to spoof websites for phishing attacks, a security vendor has shown.

Unicode characters representing alphabets such as Greek, Cyrillic, and Armenian in internationalised domain names look the same as Latin letters to users, but are treated differently by computers.

Known as the IDN homograph attack, the problem has been known since 2001 but browser vendors have struggled to fix the issue.

Security vendor Wordfence demonstrated the vulnerability by registering a domain name using Unicode characters that, in Chrome version 57.0.2987 and the current version of Firefox, displayed the URL as www.epic.com, the site of a medical equipment supplier.

The domain name was in fact xn--elawd7f.com (in ASCII encoded characters). Wordfence used unicode characters to represent "epic", which look identical to its Latin counterparts after the xn-- ASCII compatible encoding prefix, when it registered the domain.

Wordfence was also able to get a TLS digital certificate for the Unicode domain for free from certificate authority Let's Encrypt. This meant the two web browsers displayed the 'secure' padlock symbol, which would lull users into thinking their connection was authentic and safe.

The vulnerability could not be reproduced in recent versions of Apple's Safari web browser on macOS, Microsoft's Edge, or Internet Explorer 11 in iTnews testing.

Recent beta versions of Chrome are also not vulnerable, and Apple's mobile Safari browser for iOS displays the domain name correctly.

It is possible to mitigate against the vulnerability in Firefox by setting the network.IDN_show_punycode parameter in about:config to true.