Select Page

Browser URL Hack Affects Chrome, Firefox

This is one of those moments I can’t decide whether I’m more frustrated or impressed by the latest cyber attack out there.

Frustrated, because: What, the Internet wasn’t dangerous enough already? Sheesh.

Impressed, because: Damn, that’s slick!

The Attack

The attack uses “unicode characters” (like symbols and foreign letters) to make one website address display as another.

For instance, “https://www.xn--80ak6aa92e.com/” shows up as as “https://www.apple.com,” but when you click on it, it┬átakes you to the “https://www.xn--80ak6aa92e.com/” website.

This hack makes it almost impossible to detect a phishing attack.

How to Defend Yourself

If you’re using Chrome, just make sure it’s updated to version 58. Normally, this will happen automatically, but it may require restarting Chrome to take.

Here’s how to tell which version of Chrome you’re running.

If you’re using Firefox, the fix is a little more complicated:

  1. Type about:config in address bar and press “Enter“.
  2. Type Punycode in the search bar.
  3. Look for the parameter titled: network.IDN_show_punycode,
  4. Double-click or right-click and select Toggle to change the value from false to True.

Both of the fixes above will show the actual characters in the URL, and not the rendered Unicode.

Stay in the Loop

I’ll let you know when a fix is available, both here and on my email list (join over there, up and to the right; the big orange box).

Read more about the punycode attack.