New Browser flaw
Posted: April 19, 2017, 7:50 am
There are reports of a Browser flaw that is/was effecting all the major browsers.
Chrome & Firefox have yet to release a fix but it is quite easy to do a manual fix in Firefox to eliminate it.
The flaw is centered on Punnycode.
https://en.wikipedia.org/wiki/Punycode
Using it a hacker can create an alternative web site that looks exactly like an original official web site with no indication by the browser that you are actually not on the official site. Usernames & passwords used to access that site can then be captured by the hacker.
It is, obviously, a fair bit of work on the part of the hacker to replicate the official site, but rewarding if they do get hits.
To remove the problem in Firefox do the following..
Type
about:config
in the address bar & approve the 'here be dragons' warning message.
Search for
punycode
the line
network.IDN_show_punycode
will appear with a Value of False
Right mouse click on this line & select Toggle
The value will change from False to True
Security firm Wordfence set up a dummy site to prove the flaw..
https://www.wordfence.com/blog/2017/04/ ... -phishing/
With punycode set to False this is what the URL of their dummy site looks like in Firefox
Once punycode is set to True the real URL of the site is revealed..
Chrome & Firefox have yet to release a fix but it is quite easy to do a manual fix in Firefox to eliminate it.
The flaw is centered on Punnycode.
https://en.wikipedia.org/wiki/Punycode
Using it a hacker can create an alternative web site that looks exactly like an original official web site with no indication by the browser that you are actually not on the official site. Usernames & passwords used to access that site can then be captured by the hacker.
It is, obviously, a fair bit of work on the part of the hacker to replicate the official site, but rewarding if they do get hits.
To remove the problem in Firefox do the following..
Type
about:config
in the address bar & approve the 'here be dragons' warning message.
Search for
punycode
the line
network.IDN_show_punycode
will appear with a Value of False
Right mouse click on this line & select Toggle
The value will change from False to True
Security firm Wordfence set up a dummy site to prove the flaw..
https://www.wordfence.com/blog/2017/04/ ... -phishing/
With punycode set to False this is what the URL of their dummy site looks like in Firefox
Once punycode is set to True the real URL of the site is revealed..