Punycode vulnerability in Chromium

In Chromium older than M58.

With FF browser the problem can be mitigated:

Firefox users can limit their exposure to this bug by going to about:config and setting network.IDN_show_punycode to true. This will force Firefox to always display IDN domains in its Punycode form, making it possible to identify malicious domains. Thanks to user MARKZILLA from reddit for this temporary solution.

People with Chrome using the latest version are protected:

Chrome 58+ users and Firefox users who apply this fix will see the Punycode domain rather than “apple.com

Also using a password manager helps to mitigate the problem:

A simple way to limit the damage from bugs such as this is to always use a password manager.

Extra vigilance also comes in handy:

In general, users must be very careful and pay attention to the URL when entering personal information. Until this is fixed, concerned users should manually type the URL or navigate to sites via a search engine when in doubt.

Using your bookmarks for important sites may also help to mitigate the issue.

Since Dragon is at Chromium 55 this is a concern I think. There are currently 3 extension available for Chromium that warn of Punycode content, I’m now running the Punycode Alert extension which seems to function quite well.

Dragon at Chromium 58 would be the ideal solution though…