Google blocks Unicode phishing URLs that could spoof in Chrome

Google has rushed out a fix in Chrome 58, released yesterday, for what it calls an Internationalized Domain Name (IDN) homographic attack that used Cyrillic characters that look identical to Latin characters.

Web developer Xudong Zheng demonstrated the issue in Chrome 57 and Firefox 52 by registering the domain which appeared in the both browsers’ address bar as Security firm Wordfence also registered the domain which looks like Phishing attackers could have used the this to spam users with bogus links to Apple's website with a high chance that recipients would view the site with Chrome.

The attack makes use of the punycode system for converting non-Latin characters into ASCII encoding. The system itself supports web users of non-Latin languages by allowing people to register domains using A-Z characters and have the browser represent the domain to local users in, say, Chinese or other other scripts. As Zheng pointed out, the domain "" is equivalent to "短.co".

Register or Login to continue

This article is only available for subscribers. Sign up now for free and get free access to premium content from ARN, CIO, CSO, CMO, Computerworld, and PC World.

[[ message ]]
[[ message ]]
Follow our new CSO Australia LinkedIn
Follow our new social and we'll keep you in the loop for exclusive events and all things security!
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.

Tags GoogleApplephishingchrome

More about AppleGoogleMicrosoft

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Brand Page

Stories by Liam Tung

Latest Videos

More videos

Blog Posts