I thought I'd pass along this potential vulnerability in Firefox and Chrome browsers which is receiving increased attention in online security communities. It involves Unicode phishing vulnerability, where clicking a link to what appears a legit URL, can actually be a fake website.
In fact, if you are using Firefox or Chrome browser right now? Try clicking this link:
Look at your browser's URL address bar? Does it say
https://apple.com. Obviously, not an Apple website? Notice how the browser also appears to indicate a valid site certificate (https://)? Further demonstrating how hackers could potentially clone Apple's site to make it look legit, leaving a door open to steal personal account info?
Now try clicking the link using MS Internet Explorer (IE) browser? Notice that the URL address bar correctly indicates the site address as
https://www.xn--80ak6aa92e.com/? IE is not affected by the Unicode vulnerability?
Until patches are available for both Firefox and Chrome browsers, it is advisable not to click links to websites in emails, or other unfamiliar sources. Instead type the URL website link directly into the browser address bar. Or use IE browser in the intern.
For Firefox users who feel comfortable in making browser config changes, you can adjust the following browser setting to temporarily mitigate the Unicode vulnerability:
- Type or copy and paste about:config in the URL address bar.
- Click the "I'll be careful, I promise!" button.
- Type or copy and paste network.IDN_show_punycode in Search bar.
- Double mouse click the line network.IDN_show_punycode until Value column changes to true.
- Close the browser tab.
Now try clicking the fake URL link above once again as a test? Should now read
https://www.xn--80ak6aa92e.com/?
For further reference, see:
This Phishing Attack is Almost Impossible to Detect...Phishing with Unicode Domains
