Google Chrome browser has an ‘impossible to detect’ security vulnerability

Google Chrome browser has an ‘impossible to detect’ security vulnerability

A major security vulnerability on popular web browsers like Chrome, Firefox and Opera may be making users vulnerable to hackers looking to steal their confidential data and identities.

According to security researcher Xudong Zheng, the vulnerability allows hackers to display fake domain names of popular websites on their own sites. This way, hackers can trick users to believe that they are visiting original websites rather than fake ones.

For example, a hacker can use a fake domain name of Apple or Amazon on his/her website and then ask users to click on such fake links. The hacker can then use auto-fill forms to obtain users' e-mail addresses and other details. What's worse is that such phishing attacks are 'almost impossible to detect', claims Zheng.

Zheng built a demo page to demonstrate the vulnerability he discovered. He registered a new domain using foreign characters like "xn--pple-43d.com" which translated to apple.com on the website. He calls this a 'homograph attack' which is also known as script spoofing. In security parlance, the attack is defined as 'a way a malicious party may deceive computer users about what remote system they are communicating with, by exploiting the fact that many different characters look alike.'

Security vulnerability discovered in Chrome browser impossible to detect

The only way users can detect whether such websites are fake or not is by 'inspecting the site's URL or SSL certificate.' Until the vulnerability is fixed, the best way to access genuine sites is by typing the URL manually or navigate to the site via a search engine when in doubt, he added.

"A simple way to limit the damage from bugs such as this is to always use a password manager. In general, users must be very careful and pay attention to the URL when entering personal information. Until this is fixed, concerned users should manually type the URL or navigate to sites via a search engine when in doubt. This is a serious vulnerability because it can even fool those who are extremely mindful of phishing," he wrote in his blog post.

After Zheng reported the said vulnerability to Google, the company responded by creating a new update called Chrome 58 to fix it. The update is expected to roll out on April 25th, and all Chrome users need to update their browsers to prevent themselves from being victimised by the security vulnerability. "The problem remains in Firefox as they decided that it is a problem for domain registrars to deal with," he added.

Copyright Lyonsdown Limited 2021

Top Articles

Indian state government website leaked COVID-19 test results of millions

A security flaw in a website run by the West Bengal Government in India enabled a hacker to access COVID-19 test results and other personal information of millions of Indian…

Industrial IoT: Finding pre-existing threats inside industrial control systems

Industrial Internet of Things (IIoT) devices are a pressing concern for security teams.

PrismHR outage possibly caused by a ransomware attack, experts believe

PrismHR suffered a cyber attack last week which forced it to shut down its flagship software that serves thousands of organisations worldwide.

Related Articles