Punycode URL attack can trick Chrome and Firefox users

The way Chrome, Firefox, and Opera handle special characters in URLs may be exploited to set up a website with a URL that looks exactly the same as a reputable website, Bleeping Computer reported.

Called an IDN homograph attack, the vulnerability exists in browsers which elect to render non-Latin characters that resemble Latin characters in the URL bar.

This is possible due to Internationalised Domain Names which allow the use of non-ASCII characters.

A domain like åäö.se is therefore legal, so long as the top-level domain (in this case, Sweden’s .se) allows it.

The Internet Corporation for Assigned Names and Numbers allows the use of non-ASCII characters in URLs, but acknowledged it may lead to confusion.

It voted to use a standard called Punycode instead of Unicode, which allows browsers to print non-Latin characters using the Latin alphabet. For example, the Cyrillic “а” is xn–80a.

Browsers developed protections against obvious attacks which mix Latin and non-Latin alphabets to create URLs that look legitimate by displaying the Punycode rather than the characters.

If someone spoofed Apple’s website by changing the “a” to the Cyrillic “а” to give аpple.com, browsers would instead show xn–pple–43d.com in the URL bar.

The exploit

However, when characters from only one alphabet are used, Chrome, Firefox, and Opera do not show the Punycode.

According to the report, Edge, Internet Explorer, Safari, Vivaldi, and Brave browsers display the Punycode by default and are not vulnerable.

Security researcher Xudong Zheng demonstrated the exploit by setting up a fake website which looks like the real thing.

Zheng used аррӏе.com, which may look like the real apple.com, but the URL is in Cyrillic script and becomes xn–80ak6aa92e.com in Punycode.

Chrome has fixed the issue in version 59 of the browser and rolled out a patch to Chrome 58.

Firefox is yet to address the issue.

Zheng said Firefox users can set the browser to always display non-Latin URLs in Punycode by going to “about:config” and setting “network.IDN_show_punycode” to true.

Zheng fake apple site

Now read: Over 14,000 Let’s Encrypt SSL certificates issued to “PayPal phishing sites”

Latest news

Partner Content

Show comments


Share this article
Punycode URL attack can trick Chrome and Firefox users