A decade-old Unicode vulnerability known as BiDi Swap allows attackers to spoof URLs for sophisticated phishing attacks.
By exploiting how browsers render mixed Right-to-Left (RTL) and Left-to-Right (LTR) language scripts, threat actors can craft URLs that appear legitimate but secretly redirect users to malicious sites.
The BiDi Swap attack builds on prior Unicode manipulation methods that have long been a concern for web security.
In the past, attackers used Punycode Homograph Attacks to register domains with non-Latin characters that look nearly identical to Latin letters, creating convincing spoofs of popular websites.
Another common technique was the RTL Override exploit, where special Unicode characters were embedded in a file name or URL to reverse the text direction.
This could make a malicious executable file appear as a harmless document, tricking users into running it.
These earlier attacks demonstrated how subtle flaws in text rendering could be exploited for malicious purposes, paving the way for more advanced techniques like BiDi Swap that abuse the fundamental logic of how browsers display web addresses.
How the BiDi Swap Attack Works
Web browsers rely on the Unicode Bidirectional (BiDi) Algorithm to correctly display text containing both LTR scripts, such as English, and RTL scripts, like Arabic or Hebrew.
However, research from Varonis Threat Labs shows this algorithm has a critical weakness when handling URLs that mix scripts across subdomains and parameters.
An attacker can exploit this by crafting a URL with a legitimate-looking LTR subdomain (e.g., paypal.com) followed by an obscure RTL domain.
Due to the browser’s flawed rendering, the legitimate subdomain is displayed as the primary domain in the address bar, visually masking the true, malicious destination.
This confuses the user, who believes they are on a trusted site while their browser is actually navigating to an attacker-controlled server, making them vulnerable to phishing and data theft.
The response from browser developers to this long-standing issue has been inconsistent. Google Chrome offers a “lookalike URL” suggestion feature, but it only flags a limited number of well-known domains, leaving many others exposed.
Mozilla Firefox takes a better approach by visually highlighting the core part of the domain in the address bar, which helps users more easily spot potential spoofs.
While Microsoft marked the issue as resolved in its Edge browser, researchers note that the underlying vulnerability in URL representation remains.
To stay safe, users should cultivate a habit of suspicion. Always hover over links to inspect their true destination before clicking, carefully verify a site’s SSL certificate, and be wary of any URL that appears to mix different language scripts or contains unusual formatting.
Ultimately, enhanced user awareness and improved browser-level defenses are essential to neutralize this deceptive threat.
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
Source link
