Google blocks Unicode phishing URLs that could spoof in Chrome

Google has rushed out a fix in Chrome 58, released yesterday, for what it calls an Internationalized Domain Name (IDN) homographic attack that used Cyrillic characters that look identical to Latin characters.

Web developer Xudong Zheng demonstrated the issue in Chrome 57 and Firefox 52 by registering the domain which appeared in the both browsers’ address bar as Security firm Wordfence also registered the domain which looks like Phishing attackers could have used the this to spam users with bogus links to Apple's website with a high chance that recipients would view the site with Chrome.

The attack makes use of the punycode system for converting non-Latin characters into ASCII encoding. The system itself supports web users of non-Latin languages by allowing people to register domains using A-Z characters and have the browser represent the domain to local users in, say, Chinese or other other scripts. As Zheng pointed out, the domain "" is equivalent to "短.co".

Register or Login to continue

This article is only available for subscribers. Sign up now for free and get free access to premium content from ARN, CIO, CSO, CMO, Computerworld, and PC World.

[[ message ]]
[[ message ]]

Tags GoogleApplechrome

Show Comments