Forum Thread: Punycode Phishing Attacks

A new type of Vulnerability has been discovered by a Chinese infosec security researcher Xudong Zheng that makes it easy for hackers to do phishing.This vulnerability makes it almost impossible to identify phishing.

By default, many web browsers use 'Punycode' encoding to represent Unicode characters in the URL to defend against Homograph phishing attacks. Punycode is a special encoding used by the web browser to convert Unicode characters to the limited character set of ASCII (A-Z, 0–9), supported by International Domain Names (IDNs) system.

For example, the Chinese domain "?.co" is represented in Punycode as "xn —".

According to Zheng, the loophole relies on the fact that if someone chooses all characters for a domain name from a single foreign language character set, resembling exactly same as the targeted domain, then browsers will render it in the same language, instead of Punycode format.

This loophole allowed the researcher to register a domain name xn — and bypass protection, which appears as "" by all vulnerable web browsers, including Chrome, Firefox, and Opera, though Internet Explorer, Microsoft Edge, Apple Safari, Brave, and Vivaldi are not vulnerable.

Here, xn — prefix is known as an 'ASCII compatible encoding' prefix, which indicates web browser that the domain uses 'punycode' encoding to represent Unicode characters, and Because Zheng uses the Cyrillic "?" (U+0430) rather than the ASCII "a" (U+0041), the defence approach implemented by web browser fails.

Zheng has reported this issue to the affected browser vendors, including Google and Mozilla in January.

While Mozilla is currently still discussing a fix, Google has already patched the vulnerability in its experimental Chrome Canary 59 and will come up with a permanent fix with the release of Chrome Stable 58, set to be launched later this month.

Meanwhile, millions of Internet users who are at risk of this sophisticated hard-to-detect phishing attack are recommended to disable Punycode support in their web browsers in order to temporarily mitigate this attack and identify such phishing domains.

Firefox users can follow below-mentioned steps to manually apply temporarily mitigation:

  • Type about:config in address bar and press enter.
  • Type Punycode in the search bar.
  • Browser settings will show parameter titled: network.IDNshowpunycode, double-click or right-click and

select Toggle to change the value from false to True.


Join the Next Reality AR Community

Get the latest in AR — delivered straight to your inbox.

Be the First to Respond

Share Your Thoughts