Apple’s Safari and Microsoft’s Internet Explorer and Edge browsers are apparently unaffected. Vulnerable web browsers include Google Chrome, Mozilla Firefox, and Opera browsers. So “,” which references Cyrillic letters (in Unicode), becomes “” (in ASCII). Zheng’s bogus domain is actually “.” This alphanumeric gobbledygook renders as “” in the web browser due to a tool called “punycode,” which translates characters from Unicode, an encoding standard for computers to display thousands of kinds of symbols, including ones from many different languages, into the more limited set of characters available in ASCII, another encoding standard that only contains symbols more familiar to English readers, including “A-Z,” “a-z,” 0-9,” and various punctuation marks.īrowsers use punycode to display foreign domain names in English. Zheng created an example site, “ ,” to spoof the legitimate “ ,” thus demonstrating the potential for duplicity. The attack received renewed attention on Friday when Xudong Zheng, a web developer at the small software firm SliceOne, raised the alarm about a particular version of the scam in a blog post on his personal website. Bruce Schneier, a cybersecurity expert who works at IBM ibm, warned more than a decade ago about an early version of the attack mimicking PayPal pypl with PayPaI, which ends in an uppercase “i” rather than a lowercase “l.” The scam is called an “ IDN homograph attack,” and it dates back to 2001. Get Data Sheet, Fortune ’s technology newsletter Good luck seeing the difference between a domain like “” (Latin) from “” (Cyrillic).
When displayed, it’s all but impossible to tell apart a Greek “ O” from a Cyrillic “ O” from a Latin “ O,” for instance. It works like this: fraudsters are able to register domains with characters plucked from various alphabets other than the default Latin script.
0 kommentar(er)
