Homograph attack using internationalized domain name

You can't use special chars in a domain name, a DNS server would not understand them. You are limited to the set of alphanumeric ASCII characters (a-z, A-Z, 0-9). Now let's say that we are living in Russia, the Cyrillic chars are not part of the allowed set of characters, nonetheless your business has a Cyrillic name and your customers have a Cyrillic keyboard so there is a problem.

The solution is named Punycode. This is a way to convert a unicode domain name to an ASCII domain name. This conversion is handled by the browser. For instance, if you write the domain name www.Примеры.com in your URL bar, your browser will bring you there : www.xn--e1afmkfd1f.com because it is the ASCII version of Примеры once the Punycode encoding has been applied.

So you can use more characters in your domain names, which is great, nonetheless there is one problem. Do you see the difference between www.paypal.com and www.раураІ.com? Just copy and paste the previous URLs, the first one will bring you to the real Paypal website and the second one on my "phishing" website.

The real URL of the second link is http://www.xn--80aa0cbo0j.com, this awful URL is called an IDN domain name (for internationalized domain names), this is the Punycode version of раураІ wrote using Russian characters. You can easily buy an IDN domain name, as I did, even if there is some rules to respect.

If you have the ability to edit the URL, as I have on this blog, it is not a security issue. I can link a word to a different domain name, for instance www.dog.com is linked to a website about cats. So basically I can bring you where I want, it is a problem when you can input an URL but you can't edit it. In that case the user will trust what he sees. If it is written paypal.com AND there is no way to edit the url, clicking on the link should bring you on paypal.com.

For instance on social networks generally you are not able to modify an URL when you paste it. So let's see how social networks handle this case. I will use http://www.xn--eby-7cd.com/ which is the IDN domain name for http://www.ebаy.com/ (ebay with a Russian "a").


The IDN version of the domain name is not displayed. If I post the following :
IDN attack on Facebook before post Once published, Facebook will display :
IDN attack on Facebook after post The worst about Facebook is that even if you paste the IDN version of the domain name: http://www.xn--eby-7cd.com they will write www.ebay.com when you publish it (kind of funny). The problem is exactly the same in Messenger.

Google +

IDN attack on Google + before post

IDN attack on Google + after post

Google plus does not display the IDN version of the domain name. The problem also exists on Twitter, Vimeo and a bunch of other websites.

In the previous pictures, if you click on the Ebay link you will end up on http://www.xn--eby-7cd.com whereas www.ebay.com is displayed.

Each of the previous companies are aware of the problem and are okay with it. The goal of this post is to talk about the problem to raise consciousness, it's up to the companies to see that as a vulnerability or not, I trust their judgement.

I found one exception nonetheless, Slack is taking this problem seriously. In the chat app, if you copy and paste an URL containing special chars, the IDN version of the domain name will be displayed.

IDN attack on Slack before post

IDN attack on Slack after post

Unfortunately, I am sure that the people reading this are already extra careful when browsing the web. For the others, keep in mind that even if there is no way to edit an URL, it's not because ebay.com is displayed that you will end up on Ebay. Always check the URL bar once the page has been loaded. Also the green padlock means nothing if the domain name is not the correct one. For instance, I could serve my PayPal fake website on HTTPS, the green padlock would be there.