The Punycode Phishing Attack on Web Browsers Ain’t So Puny

| Analysis

Page 2 – A Phishing Attack Using Punycode

The Punycode Phishing Attack

If all foreign characters looked so different from ASCII characters, we wouldn’t have any problems. However, that’s not the case, especially when you take into account the font choice used by some browsers. In Punycode, this:

is the equivalent of:


Notice the similarity to This is because the Punycode is rendering the Cyrillic equivalent of “a” (U+0430) instead of ASCII’s “a” (U+0061). Chrome 57 and earlier, along with all versions of Firefox, use fonts that will make you see the domain name as “” and possibly fool you into thinking you’re at Cupertino’s website.

Punycode Phishing Attack

In the latest version of Firefox, I entered “” into my browser, and it turned into what looked like

The same problem exists in Windows in Internet Explorer and Edge, if the computer has Cyrillic font support.

What’s Being Done to Fix It?

Security researchers reported this bug to Chrome and Mozilla (makers of Firefox) on January 20, 2017. Chrome fixed it as of version 58 on March 28, but that particular update is still rolling out to users. I actually received the new version of Chrome minutes after capturing a screenshot of the bug in action.

Punycode Phishing Attack

In Chrome 57, I entered “” into my browser, and it turned into what looked like

The bug does not occur in Safari at all. Firefox, on the other hand, will always suffer from this bug, it seems. Developers at Mozilla have said such attacks cannot be detected programmatically, and that it is the responsibility of domain owners to identify such potential threats and register those Punycode domains themselves.

There is, however, a workaround in Firefox to resolve the issue. If you visit about:config and set network.IDN_show_punycode to true, Once done, Firefox won’t transcode Punycode into Unicode.

The Moral of the Story – Use Your Password Manager

The truth found in this is that you should be much more careful about entering personal information on a website. This is true even if it’s one you think you recognize and has an apparently-valid SSH certificate. To prevent falling prey to a Punycode phishing attack, rely heavily on your password manager to protect you. Punycode phishing attacks don’t fool password managers. Hopefully, Mozilla will soon reverse its stance on the issue, but at least there’s a way to protect yourself in Firefox. You should also be sure to upgrade Google Chrome, if you use it.

2 Comments Add a comment

  1. John Kheit

    Thanks for the heads up Jeff! I’ve worried about the use of ‘spoof characters’ aka look-alike characters for a long while. Bottom line, don’t click on stuff. Either type out the URL yourself, or use one of your own saved links from having first typed it out before hand… The world we live in…

  2. wab95

    Thanks, Jeff.

    This is the kind of information one needs in order to make a truly informed decision on browser choice; something seemingly simple, but not so straight forward.

    @John: great advice about the URL. I have had occasion (just yesterday in fact on the eraCommons site managed by the National Institutes of Health) where a saved link has expired and earns you a ‘Page Not Found’ response, so learning to type it in is good etiquette.

Add a Comment

Log in to comment (TMO, Twitter, Facebook) or Register for a TMO Account