Cybersecurity researchers at Varonis Threat Labs have uncovered a persistent vulnerability that has remained unaddressed for over a decade, allowing attackers to exploit browser handling of Right-to-Left (RTL) and Left-to-Right (LTR) text scripts to create deceptive URLs.
This technique, known as BiDi Swap, enables threat actors to craft malicious links that appear legitimate to unsuspecting users, making it an effective tool for phishing campaigns.
Infographic showing different types of spoofing attacks including website, email, IP, GPS, and man-in-the-middle spoofing
Understanding the BiDi Swap Attack Method
The BiDi Swap technique exploits weaknesses in how browsers implement the Bidirectional Algorithm, part of the Unicode Standard designed to display mixed LTR and RTL scripts properly.
While this algorithm generally handles domain names correctly, it struggles with subdomains and URL parameters containing mixed text directions.
Attackers leverage this limitation to create URLs where the displayed text doesn’t match the actual destination, effectively masking malicious links behind seemingly trustworthy addresses.
The vulnerability becomes particularly dangerous when combined with clever domain structures.
For example, attackers can construct URLs using Hebrew or Arabic characters alongside English subdomains, causing browsers to display confusing or misleading addresses that appear to lead to legitimate websites like “varonis.com” when they actually redirect to malicious domains.
Example of Punycode homograph attack domains and corresponding SSL certificate details illustrating domain spoofing techniques
BiDi Swap builds upon previous Unicode exploitation techniques that have plagued web security for years.
Punycode homograph attacks represent one such predecessor, where attackers use Internationalized Domain Names containing visually similar characters from different alphabets.
For instance, domains like “аpple.com” using Cyrillic characters instead of Latin letters can fool users into believing they’re visiting legitimate websites.
RTL Override exploits present another historical attack vector, where special Unicode characters flip text direction mid-string.
These attacks can disguise file extensions, making malicious executables appear as harmless PDFs by transforming “malware.exe” into what appears to be “malware.pdf” through strategic character placement.
Browser Response and Mitigation Efforts
Current browser implementations show varying levels of protection against BiDi Swap attacks.
Chrome’s “Navigation suggestion for lookalike URLs” feature provides limited protection, primarily flagging well-known domains like “google.com” while allowing many spoofed addresses to pass undetected.
Firefox takes a different approach by highlighting key domain components in the address bar, making it easier for users to identify suspicious links.
Microsoft Edge has acknowledged the issue but hasn’t implemented significant changes to URL representation.
Interestingly, the now-discontinued Arc browser demonstrated effective protection by clearly distinguishing between legitimate and potentially spoofed domains through enhanced visual indicators.
Organizations and individuals can implement several defensive measures against these sophisticated URL spoofing attacks.
User education remains crucial, emphasizing the importance of carefully examining URLs before clicking, especially those containing mixed scripts or unusual character combinations.
Users should hover over links to reveal actual destinations and verify domain consistency.
Technical solutions include encouraging browser developers to enhance existing protections such as improved domain highlighting and more comprehensive lookalike detection systems.
Security teams should implement additional layers of protection, including email filtering systems that can detect Unicode-based spoofing attempts and user training programs that specifically address these emerging threats.
The persistence of BiDi Swap vulnerabilities across major browsers highlights the ongoing challenge of balancing internationalization support with security requirements.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
Source link
