Way back in 2017, a security researcher created a fake apple.com website where the URL looked completely correct. The trick was that the domain he registered used a unicode character that looks like an “a” but is in fact a Cyrillic character.
Browsers were updated to detect this kind of fakery, but it’s far from a simple process – as a new video (below) illustrates …
We explained at the time how this worked, and noted that Safari was the only major browser to detect it.
The trick employed by the site is to use Unicode characters that look the same as the appropriate ASCII characters for the site impersonated, explains researcher Xudong Zheng.
It is possible to register domains such as “xn--pple-43d.com”, which is equivalent to “аpple.com”. It may not be obvious at first glance, but “аpple.com” uses the Cyrillic “а” (U+0430) rather than the ASCII “a” (U+0061). This is known as a homograph attack.
Safari isn’t fooled by this, but Chrome, Firefox and Opera all are. You can see this for yourself by using any of them to visit https://www.xn--80ak6aa92e.com (this is perfectly safe, it’s a site created by Zheng as a proof of concept). In Safari, you’ll see this URL as it appears here – but in the other browsers it will look exactly like https://www.apple.com.
Other browsers later caught up, but detecting this kind of trick is far more difficult than you might think.
YouTuber NoMagic has created a video explaining why the obvious solutions – like banning the use of Cyrillic characters within URLs – can’t be used.
Potential solutions that sound fine at first glance but would cause chaos in practice include:
- Banning Cyrillic characters in URLs
- Banning mixed character sets
- Displaying warnings for mixed character sets
- Only display characters used in user-set preferred languages
The video explains the problems with each of these approaches, and what browsers do instead.
It is, as the narrator says, a simple problem requiring surprisingly complex, multi-layered solutions.
FTC: We use income earning auto affiliate links. More.