Most Apple users install updates, but there's always a small group of people who, for various reasons, lag behind when it comes to installing updates, for one reason or another, legitimate, or not.
If you're one of the users in the latter category, then you should be aware that the letter "d" is not always the letter "d" when displayed inside the Safari address bar.
This might sound like a non-issue, but it's actually a very important problem that all Apple users who don't run the latest OS software need to be aware of, as they could fall victims to what security researchers call "IDN homograph attacks."
IDN homograph attacks happen when someone registers a domain using Unicode characters that look like standard Latin letters, but they are not. For example, coinḃase.com is an IDM homograph attack for coinbase.com (notice the dot above the letter b).
These lookalike domains are usually used for phishing, tricking users into thinking they accessed a legitimate site when they're on a cleverly crafted clone.
IDN homograph attacks have been an issue over the past year, and several incidents have been reported in the security news media about homograph attacks against cryptocurrency exchanges in 2017 and 2018 [1, 2, 3].
Driven by this new wave of homograph attacks, xisigr, a security researcher at Tencent Security Xuanwu Lab, has recently taken a look at how Apple products handle Unicode characters.
What the researcher found is that Apple does a good job with most Unicode characters, except one --which is the letter dum (ꝱ) (U+A771), part of the extended Latin alphabet character set.
The letter looks like a normal Latin lowercase letter 'd', except it comes with a lower apostrophe. But xisigr found that Safari did not render the small lower apostrophe, displaying the letter dum as a Latin letter d.
Unfortunately, users who have not applied those updates are still vulnerable to phishing attacks. An attacker can record domain names that include the letter dum and he can launch phishing campaigns against Apple users.
Xisigr says the issue should not be ignored because he found that the letter d is part of almost 25 percent of all Top 10,000 domains, providing attackers with a huge phishing surface.
Some of the domains that a phisher could impersonate include LinkedIn, Baidu, Dropbox, Adobe, WordPress, Reddit, or GoDaddy, just to name a few.
Furthermore, even if some domain registrars prevent users from registering domain names that contain Unicode characters, this limitation doesn't apply to the letter dum because it's part of the extended Latin character alphabet, and hence, is considered a standard Latin character.
If Apple users can't update, for the time being, they should at least take notice that the letter "d" in Safari's URL bar may not actually be "d" and they should use another browser to navigate the web until they can apply Apple's July security patches.
- Apple's Safari tests 'not secure' warning for unencrypted websites CNET
- Hackers use Drupalgeddon 2 and Dirty COW exploits to take over web servers
- Google Play Protect analyzes every Android app that it can find on the internet
- AWS rolls out new security feature to prevent accidental S3 data leaks
- Evernote for Windows patch resolves stored XSS vulnerability
- How to use Safari's suggested passwords feature TechRepublic
- One in five Magecart-infected stores get reinfected within days
- Many free mobile VPN apps are based in China or have Chinese ownership
Best Black Friday 2018 deals:
- Amazon Seven Days of Black Friday Deals: All-time lows on office devices
- Amazon Black Friday 2018 deals: See early sales on Echo, Fire HD
- Best Buy Black Friday 2018 deals: Deep discounts on Apple Mac, Microsoft Surface
- Target Black Friday 2018 deals: $250 iPad mini 4, $120 Chromebook
- Walmart Black Friday 2018 deals: $99 Chromebook, $89 Windows 2-in-1
- Dell Black Friday 2018 deals: $120 Inspiron laptop, $500 gaming desktop
- Newegg Black Friday 2018 deals: $50 off Moto G6, $70 off Nest thermostat
- Office Depot Black Friday 2018 deals: $300 off Lenovo Flex, $129 HP Chromebook
- eBay Black Friday 2018 deals: See early sales on Galaxy Watch, Chromecast
- Lenovo Black Friday 2018 deals: ThinkPad laptops and more
- Microsoft Store Black Friday 2018 deals: Ad showcases Surface, laptop deals
- Windows laptops Black Friday deals: Dell, HP, Lenovo
- Chromebook Black Friday 2018 deals: Dell, Google, HP
- Best tablet Black Friday deals: Apple iPad, Amazon Fire
- Black Friday 2018 iPhone deals: $400 iPhone X gift card, BOGO iPhone XR
- Black Friday 2018 smartphone deals: OnePlus 6T, LG G7