Google will fix a major security flaw found in the Chrome web browser that can leave users wide open to phishing attacks.
The bug has already been patched in Safari, Internet Explorer and Microsoft Edge but affects the latest version of both Chrome (version 57.0.2987) and Firefox (52.0.2).
According to Zheng, Google will fix the problem when it releases Chrome 58, which is expected to be released on April 25.
The flaw exploits something called Punnycode, which in a roundabout way allows fraudsters to create a fake version of a legitimate website, even with an identical url, so that users could easily be tricked into handing over passwords, login credentials or any other sensitive data.
To prove its existence, Wordfence created its own demo of how the flaw could be exploited by criminals.
The security firm purchased the domain xn--e1awd7f.com and imitated a healthcare website called epic.com.
When a user was directed to the fake website, it looked completely legitimate, with eipc.com appearing in the address bar and even being labeled as ‘secure’ by Chrome.
Visit xn--e1awd7f.com for yourself, the example has been left online to warn users.
While Chrome has said it will issue a fix, Mozilla on the other hand hasn’t confirmed when a fix will be issued.
For anyone using Firefox, Wordfence recommends the following steps:
1. In your Firefox location bar, type about:config.
2. Do a search for punycode.
3. You should see a parameter titled: network.IDN_show_punycode
4. Change the value from false to true.