Have you heard of the so-called IDN homograph attack? This attack endangers Mac users who don’t update their machines regularly.
Also known as script spoofing attack, the IDN (internationalized domain name) attack allows threat actors to deceive online users about the remote system they are communication with by exploiting the fact that many characters look alike.
More specifically, such an attack can occur when someone registers a domain using Unicode characters that appear to be standard Latin letters while in fact they are not.
Here’s an example: coinḃase.com is an IDM homograph attack for coinbase.com, and the only difference between the two is the small dot above the letter “b” in the first case. As for Macs, the issue revolves around the “d” letter, and the vulnerability is assigned the CVE-2018-4277 number.
CVE-2018-4277 Technical Description
As explained by Apple https://support.apple.com/en-us/HT208854, the vulnerability affects OS X El Capitan 10.11.6, macOS Sierra 10.12.6, and macOS High Sierra 10.13.4, and can be triggered by visiting a malicious website, resulting in an
Impact: Visiting a malicious website may lead to address bar spoofing
Description: A spoofing issue existed in the handling of URLs. This issue was addressed with improved input validation.
The vulnerability was discovered by a security researcher at Tencent Security Xuanwu Lab, who decided to investigate how Apple products handle Unicode characters. His interest in the subject was triggered by the increase of IDM homograph attack registered in the past few months.
Overall, the researcher’s analysis showed that Apple’s handling of most Unicode characters is pretty good, with the exception of one letter – the letter dum (ꝱ) (U+A771), which is part of the extended Latin alphabet character set.
In my research, I found Latin small letter dum (U+A771) glyph is very similar to Latin small letter D (U+0064) in Apple products. From the glyph standard of Unicode (U+A771), we can see that there should be a small apostrophe after d, but this is completely ignored in Apple products, the researcher wrote.
It turns out that “an attacker can spoof all domain names containing the “d” character”. This means that about 25% of the website domain names in the Google Top 10K domain name can be spoofed, because they have the ‘d’ character.
The researcher also provided a video demo of the attack. The domains that can be affected by this attack include LinkedIn, Baidu, Dropbox, Adobe, WordPress, Reddit, or GoDaddy, among numerous other famous websites.
What can Apple users do to protect themselves? If an update is not possible for one reason or another, Apple users can be extra careful by closely examining the letter “d” in Safari’s URL bar, because it may not be the letter “d” after all. If Apple’s security patches from July can’t be applied, it may be a good idea to use another browser.
