Google has confirmed that it’s working on an update for the Chrome web browser to fix a bug that leaves users open to phishing attacks. The vulnerability will be patched on all versions of Chrome, including those on iOS and macOS. Google will be a little late to the party considering the fact that this bug has already been patched in Apple’s Safari and Microsoft’s Internet Explorer and Edge.
The bug in question takes advantage of Punycode which uses certain ASCII characters in URLs to output Unicode in a browser. This allows phishers to register fake domains in Chrome that actually look like legitimate domains.
Such a domain can lure visitors into divulging their personal information, including but not limited to names, addresses, emails, passwords, PIN numbers, and more. Software engineer Xudong Zheng created a safe proof-of-concept which appears to direct visitors to apple.com but in reality, takes them to www.xn--80ak6aa92e.com.
Google was notified about this vulnerability in Chrome on January 20th and it’s not immediately clear what has taken the company so long to fix this.
The fix is now available in Chrome builds in the experimental Canary program for Windows, macOS, and Android. The update now has to go through Chrome’s regular beta channel before it’s released for everyone at some point next week.