Google Chrome users could be vulnerable to this deadly new phishing attack
Google Chrome has a dangerous new vulnerability that makes phishing attacks "almost impossible to detect", says security researcher Xudong Zheng.
The known vulnerability allows hackers to display fake domain names in the URL address bar – like Apple, Google, or Amazon – on their own fraudulent websites.
This makes phishing attacks notoriously tough to detect, since the victim's web browser appears to confirm they're on a legitimate web domain with a secure HTTPS connection.
Online users could enter their payment details into a website that looks exactly like the official site – with no idea they're actually on a fake webpage, designed by hackers to steal your information.
If you're running one of the affected browsers, you can test the phenomenon here.
According to Zheng, this vulnerability works in Chrome, Firefox and Opera web browsers.
XUDONG ZHENG • EXPRESS NEWSPAPERS
The vulnerability allows cybercriminals to display fraudulent with other, legitimate URLs
“It becomes impossible to identify the site as fraudulent without carefully inspecting the site's URL or SSL certificate,” he wrote in a blog post.
"In general, users must be very careful and pay attention to the URL when entering personal information.
"Until this is fixed, users should manually type the URL or navigate to the site via a search engine when in doubt."
The clever phishing attack works because of the way that some web browsers render some character sets.
For example, the Cyrillic "а" and Latin "a" are both rendered very differently within your web browser – and yet, they are displayed as a simple "a" character in the address bar.
Get Quotes on Home Insurance
GOOGLE • EXPRESS NEWSPAPERS
The web address is rendering as apple.com in affected browsers
According to Zheng, this means a cybercriminal can select characters from a single foreign language to artificially construct a URL that resembles a legitimate website.
For example, the domain name xn--80ak6aa92e.com will render as “apple.com” in all vulnerable web browsers, including Chrome, Firefox, and Opera.
Apple Safari, Internet Explorer and Microsoft Edge cannot be tricked using this method.
Google Chrome – The 11 hidden tricks EVERY Chrome users needs to know Wed, March 15, 2017
Google Chrome is the most popular web browser on the planet. It is easy-to-use, lightning-fast, and has a tonne of hidden tricks and features that you probably do not know about. Here's how to get the most from your web browser.
Play slideshow EXPRESS NEWSPAPERS 1 of 12
Here's how to get the most from your web browser
Zheng reported the vulnerability to all of the affected web browsers back in January.
Mozilla is reportedly working on a fix at the moment, while Google has already patched the vulnerability in its beta release, Chrome Canary 59.
This fix should be rolled-out to Chrome users worldwide later this month, on April 25th.
In the meantime, there is a temporary fix for Mozilla Firefox users.
- Type about:config in URL address bar, then hit Enter.
- Type Punycode in the search bar.
- This will load a browser setting entitled: network.IDN_show_punycode, double-click on Toggle to change the value from false to True.
Google left the 10th annual Pwn2Own event relatively unscathed
Ironically, the news comes as Google Chrome proved to be the least hackable web browser at the 10th annual Pwn2Own event.
The renown computer hacking contest is held each year at the CanSecWest security conference and sees contestants desperately try to exploit popular software and hardware with previously unknown vulnerabilities.
Those who manage to successfully find an exploit will win a cash prize, a jacket emblazoned with the year of their win, and, as the name of the contest suggests, the device they managed to break into.
Web browsers were subject to a number of exploits over the course of the contest, this year held at Vancouver's CanSecWest conference.
Over the three days of Pwn2Own, Microsoft Edge was successfully attacked five times – racking up $300,000 in bounties.
Safari was exploited three times, and Firefox was attacked twice – although only one of these was successful.
The browser says it will be making further additions to its security this year.
However, Google Chrome left the conference more or less unscathed – with the only attack not being completed in time.