Major flaw found in Google Chrome lets devious fraudsters steal your passwords

0

Google will fix a major security flaw found in the Chrome web browser that can leave users wide open to phishing attacks.

The flaw, allows unsuspected users to be redirected to malicious domains that look identical to legitimate websites was discovered by developer Xudong Zheng and cyber security firm Wordfence.

The bug has already been patched in Safari, Internet Explorer and Microsoft Edge but affects the latest version of both Chrome (version 57.0.2987) and Firefox (52.0.2).

According to Zheng, Google will fix the problem when it releases Chrome 58, which is expected to be released on April 25.

The flaw exploits something called Punnycode, which in a roundabout way allows fraudsters to create a fake version of a legitimate website, even with an identical url, so that users could easily be tricked into handing over passwords, login credentials or any other sensitive data.

To prove its existence, Wordfence created its own demo of how the flaw could be exploited by criminals.

The security firm purchased the domain xn--e1awd7f.com and imitated a healthcare website called epic.com.

When a user was directed to the fake website, it looked completely legitimate, with eipc.com appearing in the address bar and even being labeled as ‘secure’ by Chrome.

Visit xn--e1awd7f.com for yourself, the example has been left online to warn users.

Image: Wordfence

Image: Wordfence

While Chrome has said it will issue a fix, Mozilla on the other hand hasn’t confirmed when a fix will be issued.

For anyone using Firefox, Wordfence recommends the following steps:

1. In your Firefox location bar, type about:config.

2. Do a search for punycode.

3. You should see a parameter titled: network.IDN_show_punycode

4. Change the value from false to true.

Jonathan Fairfield
Jonathan is our Google Nexus and Android enthusiast. He is also fanatical about football which makes it all the more strange that he should support Stockport County. In addition to writing about tech, Jonathan has a passion for fitness and nutrition and has previously written for one the UK's leading watch and horology websites.
Share.

Comments are closed.