Google to patch Chrome phishing vulnerability already solved in Safari & Edge

in Mac Software
Google is finally preparing to update its Chrome browser, available for platforms including macOS and iOS, with protection against a phishing vulnerability already patched in Apple's Safari and Microsoft's Edge and Internet Explorer.

The issue is currently remedied in Chrome builds available through Google's experimental Canary program for macOS, Windows, and Android, Engadget noted on Monday. The update will have to progress through Chrome's regular beta channel before reaching the public at large sometime around Apr. 25.

The flaw exploits Punycode, which uses specific ASCII characters in URLs to output Unicode in a browser. This can important for regions with non-Latin alphabets, such as China.

Phishers, however, can register fake domains that in Chrome look like they're pointing to a legitimate website. A safe proof-of-concept by a software engineer, Xudong Zheng, even appears to direct people to, but is in reality

Google was informed about the vulnerability on Jan. 20, and it's not clear why a fix has taken so long.

Mozilla was alerted at the same time, but is reportedly undecided about patching Firefox -- users can temporarily fix the problem themselves by entering "about:config" into their address bar, then changing "network.IDN_show_punycode" to "true." This forces Firefox to reveal Punycode, helping people careful enough to check URLs before clicking.


  • Reply 1 of 3
    mike1mike1 Posts: 1,926member
    I just made that change to Firefox on my work PC. Question is why wouldn't that be the default setting? Just wondering.
  • Reply 2 of 3
    dreyfus2dreyfus2 Posts: 1,071member
    mike1 said:
    I just made that change to Firefox on my work PC. Question is why wouldn't that be the default setting? Just wondering.
    Punycode is about as helpful as IPv6 addresses to most people... The whole idea here is to show URLs containing non-ASCII characters so people from a specific locale can read them. Plus, who can tell the right from the wrong Punycode? The root cause, IMO, is NICs in some countries allowing the registration of homographic Punycode IDNs. There is no non-ASCII character in, so there is absolutely no need to register it in coded form. Some NICs, like ours in Germany, refuse the registration of such domain names. I would consider that the level at which the problem should be addressed.
  • Reply 3 of 3
    Maybe Google wants to kill its chrome OS and chrome browser, taking so long for this fix is beyond my understanding.
Sign In or Register to comment.