Opera and Unicode domains PSA
-
jito463 last edited by
So, I just saw this on another website. Apparently, there's a unicode phishing bug that's exploitable in multiple browsers. The linked article specifically mentions Chrome and Firefox, but Opera is also affected (obviously, as it uses the Chrome engine), as well as classic Opera v12 and a couple other browsers (ironically, Edge was not affected, but I still would never recommend it). It relies on using unicode characters in the domain, which the browser converts to appear as a different domain name. Add an SSL cert, and it's possible to make a phishing site appear to be completely legit, unless you actually check the SSL cert manually.
https://www.wordfence.com/blog/2017/04/chrome-firefox-unicode-phishing/
-
jito463 last edited by
Just wanted to add, that I tested the bug on an earlier build of Opera (10.54), and while it still displayed the incorrect domain, the "Secure" icon in the address bar did list the actual correct domain name.
-
sgunhouse Moderator Volunteer last edited by
https://tech.slashdot.org/story/17/04/17/1329200/chrome-59-to-address-punycode-phishing-attack
Of course, when Chrome releases their update Opera will get it automatically.
-
jito463 last edited by
https://tech.slashdot.org/story/17/04/17/1329200/chrome-59-to-address-punycode-phishing-attack
Of course, when Chrome releases their update Opera will get it automatically.True, and I intended to mention that in my post, but forgot (thanks for catching that for me). My intent was simply to alert people to the phishing bug, so they can be aware of it.
