"Google Fixing Chrome Bug That Leaves Users Open To Phishing..." http://www.ubergizmo.com/2017/04/google-fixing-chrome-bug-users-open-to-phishing/?utm_source=mainrss "Chrome And Firefox Adding Protection Against This Nasty Phishing Trick..." https://www.forbes.com/sites/leemat...ainst-this-nasty-phishing-trick/#3befc9012823
I knew when ICANN voted to allow this stupidity that it would cause issues. I didn't expect it to take this long to be a thing though.
It is affected too. You have to set "network.IDN_show_punycode" to true (false is the default) to mitigate it.
No. palemoon is protected even without toggling the about:config setting.Pale moon refuses to connect to such servers.
Try the "epic.com"-example: https://www.wordfence.com/blog/2017/04/chrome-firefox-unicode-phishing/ The connection was not refused.
No problem here with FF v3.6.14 Funny, my about:config shows false, but it still showed me the true URL Thanx to mood for the link
Also mentioned here - https://www.wilderssecurity.com/thr...-version-released.361562/page-52#post-2668083
Hovering the mouse over the link in Firefox discloses the scam, but if don't check before you click then the change in about:config will help., You still need to notice what is displaying in the address bar though.
Pale Moon is using a blacklist and if an unicode character looks similar to an ASCII character, the URL will be shown in ASCII characters: But if characters are not on the "blacklist", the URL is displayed like in other vulnerable browsers. network.IDN_show_punycode should be set to true to mitigate this. The user can also check the certificate of https-sites: There will be a change in the next version of Pale Moon:
The vulnerability has been fixed in Google Chrome v58 (stable): Results: https://www.wordfence.com/blog/2017/04/chrome-firefox-unicode-phishing/ https://www.bleepingcomputer.com/ne...a-vulnerable-to-undetectable-phishing-attack/
