Google To Roll Out New Chrome Update Against Punycode
Last version of Google Chrome was quiet vulnerable to phishing attacks.
Google to roll out Chrome 59 soon.
Google has initiated the rolling out of an update of the beta version of its Chrome browser. The last version (57.0.2987) was experiencing a flaw, making browser vulnerable to the phishing attacks.
It’s all due to the Punycode that uses special ASCII characters in URLs to output Unicode in a browser. This Punycode helps phishers to register fake domains that look familiar to the real website. As an example, it is possible to register domains such as "xn--pple-43d.com", which is equivalent to "аpple.com".
As a proof-of-concept by a software engineer, Xudong Zheng, one such URL appears to direct people to apple.com, but is in reality www.xn--80ak6aa92e.com. The xn-- prefix tells browsers like Chrome that the domain uses ASCII compatible encoding.
The issue was reported to Google on January 20th.
Luckily, Microsoft Edge, Internet Explorer and Safari have already patched the flaw and Google is just catching up as the issue has been fixed in Chrome 59. Currently live in the Canary as an advance beta release, Google will likely make it available to all Chrome users soon.