Google Moving Quickly To Fix Chrome Browser Punycode Phishing Exploit

If you're using Google's Chrome browser as your primary vehicle to surf the web, you may want to think about temporarily parking it and puttering around in something else. That's because the most recent version of Chrome is vulnerable to a devious phishing attack, one that is capable of spoofing a legitimate website in the address bar so that you could be tricked into forking over your login credentials and other sensitive data.

This particular variant uses unicode to register domains that look exactly the same as real domains. However, these fake domains can be used for malicious purposes, such as getting a user to sign into a banking site or some other portal where login credentials and other data might be exposed.


As a proof of concept, Wordfence created its own example in which it purchased the domain and imitated a healthcare website called, complete with an SLL certificate. When visiting the fake website, it appears as in the address bar and is labeled as "Secure" with the lock icon. There is nothing in the address bar to alert a user at a glance that it's different from the real website.

This is made possible by using the xn-- prefix, also known as an ASCII compatible encoding prefix. This tells a browser that a website is using punycode encoding to represent Unicode characters. This makes it possible to register domains with foreign characters. When using the right ones, it's possible to spoof a domain. For example, registering the domain would show up as, as Xudon Zheng describes in a blog post.

This bit of punycode trickery the current versions of Chrome (57.0.2987) and Firefox (52.0.2), though there is a manual fix you can apply to the latter:
  1. Type about:config in the address bar.
  2. Search for punycode.
  3. Look for the parameter network.IDN_show_punycode and change the value from false to true.
There is nothing you can do in Chrome except wait for a security update, which Google is working on. Internet Explorer and Safari are both not affected by this.

No matter what browser you use, as always, avoid clicking on hyperlinks in emails. Instead, type the destination address directly into your browser.