A vulnerability has been exposed in Chrome, Firefox, and Opera browsers. In certain scenarios, the affected browsers may incorrectly render Unicode into ASCII characters via Punycode, tricking visitors into believing that it’s the official site.
The tip came from Xudong Zhen, who demonstrated the vulnerability by constructing a site for the domain “https://www.xn--80ak6aa92e.com/“. When entered into the URL bar, a browser could incorrectly translate it to Apple.com. Pair it with SSL and a well-copied template of the original, it can even fool seasoned web users.
The danger of this vulnerability is evident to see. If the domain was registered and hosted with malicious intent, it could easily trick users into giving out account information and passwords.
The problem stems from the way the browsers handle homograph attacks, a method of replacing ASCII characters with a similar symbol from another language. Normally, the ASCII translation is hidden when the browser detects that the Unicode address contains symbols from multiple languages, but if all the symbols are replaced, then this preventative measure can be bypassed. In the example above, all characters are actually rendered in Cyrillic characters, but due to the way the fonts are rendered, there are no visually discernible differences between them and ASCII.
Google has immediately patched this issue in Chrome version 58, while Firefox and Opera continue to exhibit this problem. Internet Explorer, Microsoft Edge, and Safari are currently unaffected.