A major security vulnerability on popular web browsers like Chrome, Firefox and Opera may be making users vulnerable to hackers looking to steal their confidential data and identities.
According to security researcher Xudong Zheng, the vulnerability allows hackers to display fake domain names of popular websites on their own sites. This way, hackers can trick users to believe that they are visiting original websites rather than fake ones.
For example, a hacker can use a fake domain name of Apple or Amazon on his/her website and then ask users to click on such fake links. The hacker can then use auto-fill forms to obtain users’ e-mail addresses and other details. What’s worse is that such phishing attacks are ‘almost impossible to detect’, claims Zheng.
Zheng built a demo page to demonstrate the vulnerability he discovered. He registered a new domain using foreign characters like “xn--pple-43d.com” which translated to apple.com on the website. He calls this a ‘homograph attack’ which is also known as script spoofing. In security parlance, the attack is defined as ‘a way a malicious party may deceive computer users about what remote system they are communicating with, by exploiting the fact that many different characters look alike.’
The only way users can detect whether such websites are fake or not is by ‘inspecting the site’s URL or SSL certificate.’ Until the vulnerability is fixed, the best way to access genuine sites is by typing the URL manually or navigate to the site via a search engine when in doubt, he added.
“A simple way to limit the damage from bugs such as this is to always use a password manager. In general, users must be very careful and pay attention to the URL when entering personal information. Until this is fixed, concerned users should manually type the URL or navigate to sites via a search engine when in doubt. This is a serious vulnerability because it can even fool those who are extremely mindful of phishing,” he wrote in his blog post.
After Zheng reported the said vulnerability to Google, the company responded by creating a new update called Chrome 58 to fix it. The update is expected to roll out on April 25th, and all Chrome users need to update their browsers to prevent themselves from being victimised by the security vulnerability. “The problem remains in Firefox as they decided that it is a problem for domain registrars to deal with,” he added.