New vulnerability in the Chrome, Firefox and Opera web browsers?

Johnatan56

Honorary Master
Joined
Aug 23, 2013
Messages
24,850
Mitigation For Firefox Users (Not FIX For Chrome)
Firefox uses can follow below-mentioned steps to manually apply temporarily mitigation:

Type about:config in address bar and press enter.
Type Punycode in the search bar.
Browser settings will show parameter titled: network.IDN_show_punycode, double-click or right-click and select Toggle to change the value from false to true.

Unfortunately, there is no similar setting available in Chrome or Opera to disable Punycode URL conversions manually, so Chrome users have to wait for next few weeks to get patched Stable 58 release.

Well, for banks typing the url in directly would still act the same, links are going to be fun to follow.
 

saor

Honorary Master
Joined
Feb 3, 2012
Messages
19,929
Link to the fake apple.com url for anyone who wants to see it in action: https://аррӏе.com/

If your web browser is displaying "apple.com" in the address bar secured with SSL, but the content on the page is coming from another server (as shown in the above picture), then your browser is vulnerable to the homograph attack.
 

bratwurst

Expert Member
Joined
Oct 15, 2008
Messages
3,785
Firefox, opera mini and opera coast on iOS all show the actual domain and not Apple.com. Seems it's only chrome on iOS. There are more browsers, but to lazy to test.

Is there a list somewhere that mentions all affected browsers?
 
Top