Google to patch Chrome phishing vulnerability already solved in Safari & Edge
Google is finally preparing to update its Chrome browser, available for platforms including macOS and iOS, with protection against a phishing vulnerability already patched in Apple's Safari and Microsoft's Edge and Internet Explorer.
The issue is currently remedied in Chrome builds available through Google's experimental Canary program for macOS, Windows, and Android, Engadget noted on Monday. The update will have to progress through Chrome's regular beta channel before reaching the public at large sometime around Apr. 25.
The flaw exploits Punycode, which uses specific ASCII characters in URLs to output Unicode in a browser. This can important for regions with non-Latin alphabets, such as China.
Phishers, however, can register fake domains that in Chrome look like they're pointing to a legitimate website. A safe proof-of-concept by a software engineer, Xudong Zheng, even appears to direct people to apple.com, but is in reality www.xn--80ak6aa92e.com.
Google was informed about the vulnerability on Jan. 20, and it's not clear why a fix has taken so long.
Mozilla was alerted at the same time, but is reportedly undecided about patching Firefox -- users can temporarily fix the problem themselves by entering "about:config" into their address bar, then changing "network.IDN_show_punycode" to "true." This forces Firefox to reveal Punycode, helping people careful enough to check URLs before clicking.
The issue is currently remedied in Chrome builds available through Google's experimental Canary program for macOS, Windows, and Android, Engadget noted on Monday. The update will have to progress through Chrome's regular beta channel before reaching the public at large sometime around Apr. 25.
The flaw exploits Punycode, which uses specific ASCII characters in URLs to output Unicode in a browser. This can important for regions with non-Latin alphabets, such as China.
Phishers, however, can register fake domains that in Chrome look like they're pointing to a legitimate website. A safe proof-of-concept by a software engineer, Xudong Zheng, even appears to direct people to apple.com, but is in reality www.xn--80ak6aa92e.com.
Google was informed about the vulnerability on Jan. 20, and it's not clear why a fix has taken so long.
Mozilla was alerted at the same time, but is reportedly undecided about patching Firefox -- users can temporarily fix the problem themselves by entering "about:config" into their address bar, then changing "network.IDN_show_punycode" to "true." This forces Firefox to reveal Punycode, helping people careful enough to check URLs before clicking.
Comments