Major flaw found in Google Chrome lets devious fraudsters steal your passwords


Google will fix a major security flaw found in the Chrome web browser that can leave users wide open to phishing attacks.

The flaw, allows unsuspected users to be redirected to malicious domains that look identical to legitimate websites was discovered by developer Xudong Zheng and cyber security firm Wordfence.

The bug has already been patched in Safari, Internet Explorer and Microsoft Edge but affects the latest version of both Chrome (version 57.0.2987) and Firefox (52.0.2).

According to Zheng, Google will fix the problem when it releases Chrome 58, which is expected to be released on April 25.

The flaw exploits something called Punnycode, which in a roundabout way allows fraudsters to create a fake version of a legitimate website, even with an identical url, so that users could easily be tricked into handing over passwords, login credentials or any other sensitive data.

To prove its existence, Wordfence created its own demo of how the flaw could be exploited by criminals.

The security firm purchased the domain and imitated a healthcare website called

When a user was directed to the fake website, it looked completely legitimate, with appearing in the address bar and even being labeled as ‘secure’ by Chrome.

Visit for yourself, the example has been left online to warn users.

Image: Wordfence

Image: Wordfence

While Chrome has said it will issue a fix, Mozilla on the other hand hasn’t confirmed when a fix will be issued.

For anyone using Firefox, Wordfence recommends the following steps:

1. In your Firefox location bar, type about:config.

2. Do a search for punycode.

3. You should see a parameter titled: network.IDN_show_punycode

4. Change the value from false to true.


Comments are closed.