On an average, 12 new internet users are added every second to the Internet and as per infographic stats on InternetWorldStats.com, till 31st March 2017 total number of worldwide internet users are 3.7 Billion+ and still counting.
Every day we are seeing various flaws/loopholes/vulnerabilities in the networks are being discovered by Networking Security firms or by independent researchers and fixed by the same.
Recently a Chinese researcher Xudong Zheng discovered a “Punycode/Unicode Phishing attack” which is near to impossible to detect even by careful internet user or his/her browser.
With the help of this attack, hackers can steal your information like Name, Password, Financial credentials and what not. Let’s take a look at
Let’s take a look at how this “Punycode/Unicode Phishing attack” works.but before that first have a look at this demo webpage which is set up by the same researcher.
Punycode/Unicode Phishing attack:
If your internet browser is displaying above web page with URL “https://www.apple.com” in the address bar with SSL Certificate.
It means your browser is vulnerable to the homograph attack. But the content is actually coming from the server, as shown in below pictures check below how.
“It becomes impossible to identify the site as fraudulent without carefully inspecting the site’s URL or SSL certificate.” Xudong Zheng says.
“Punycode makes it possible to register domains with foreign characters. It works by converting individual domain label to an alternative format using only ASCII characters. For example, the domain “xn--s7y.co” is equivalent to “短.co”.” he continues.
Many Unicode characters for in Greek or Armenian in the domain names, look same as Latin letters by the human eyes but those are totally different when your computer or browser read them. For example:
Xudong says, “It is possible to register a domain name such as “xn--pple-43d.com”. It is equivalent to “аpple.com” and may be it is not noticeable at first glance, but here “аpple.com” uses the Cyrillic “а” (U+0430) rather than the ASCII “a” (U+0041).
So both are treated differently by browsers but are displayed “a” in the browser address. This is known as a homograph attack“
Status of modern browsers with this issue:-
Modern browsers are able to limit IDN homograph attacks by their mechanisms. The page IDN in Google Chrome pointing the conditions where IDNs are displayed in their native Unicode forms.
According to Xudong, “a Unicode form will be hidden if a domain label contains characters from multiple different languages.
But browsers will show Punycode URLs in one language as Unicode. This advantage can be taken by Internet Thieves in order to steal people’s information by registering .”
It becomes possible to identify the site as fake by carefully inspecting the site’s URL or SSL certificate.As shown above (with the help of Firefox browser).
Report of discovery:-
After the discovery and confirmation on the same as per Xudong, this bug has reported to internet browser vendors Google, Mozilla in January 2017.
It was fixed in the trunk of Chrome 59 Canary on March 24. The Chrome team has decided to include the fix in Chrome 58, which should be available later in this month.
Firefox team is still in the undecidable state, it is within their scope or not. Because as you can see at Mozilla’s Bugzilla initially it was initially marked as “RESOLVED” and “WONTFIX”.
But then it has been reopened, made public, and given the “sec-low” keyword.
This is how Mozilla Firefox users can limit their exposure to this bug by following below steps:-
- Type about: config (in the address bar) hit enter.
- Open setting and navigate to the network.IDN_show_punycode set this parameter from false to true.
By doing this Firefox will forcefully display IDN domain name in its Punycode form. Making it possible to identify malicious/fraudulent domains. ( Thanks to /u/MARKZILLA on reddit.com for this solution.)
Unfortunately, Chrome or other browser users do not have this type of manual option to disable Punycode URL conversions. So all they have to do is wait or temporarily switch to Firefox with this manual setting.
Though Internet Explorer, Microsoft Edge, Apple Safari, are not vulnerable. In other words, users of these browsers are able to identify Punycode URL. (We tested on Microsoft Edge Browser as you can see below).
A simple way to limit the damage from bugs such as Internet users should be very attentive to the URL. While entering their personal information to prevent against such undetectable attacks.
We hope internet browser vendors will consider implementing a fix to this bug before releasing next update.