Chrome
Beta testing for the next Chrome update has just begun. Getty Images/AFP

Google is expected to fix a phishing flaw this month on its Chrome browser that can redirect users to fake domains, according to blog posts by web developer Xudong Zheng and Wordfence.

The bug has been fixed on Microsoft Edge, Internet Explorer and Safari but it still affects the current Chrome browser, version 57.0.2987, and the current version of Firefox, 52.0.2.

Read: Google Fact Check Helps Identify Fake News, Now Available In Search

The exploit was reported to Chrome and Firefox Jan. 20 and was fixed in Google Chrome Canary on March 24. Google will include the fix in Chrome 58, which should be available to everyone by April 25, Zheng said.

The bug exploits Punycode, which makes it possible to register domains with foreign characters. It converts an individual domain label to an alternative format using only ASCII characters (i.e. xn--s7y.co would be 短.co in Chinese browsers).

With the flaw, phishers can register fake domains that look identical to a real website. For example, a safe proof-of-concept by Zheng seems to direct users to apple.com, but it’s actually www.xn--80ak6aa92e.com. Another proof of concept was demonstrated by Wordfence, which shows their epic.com domain was actually https://xn--e1awd7f.com/, however, it shows up in Chrome and Firefox as epic.com.

Read: What Is Google AutoDraw? Web-Based Tool Can Turn Everyone Into A Designer

Google posted an update about Chrome Monday, saying it regularly rolls out security updates for users although it did not specifically mention the bug.

“Chrome automatically updates behind the scenes every six weeks to ensure that you always have the latest security features and fixes,” the company said in a statement. “And if we find an important security bug, we push out a fix within 24 hours — no update from you required.”

On the other hand, Mozilla is undecided on whether to fix the bug. Wordfence recommends the following steps for Firefox users:

  1. In your Firefox location bar, type about:config.

  2. Do a search for punycode.

  3. You should see a parameter titled: network.IDN_show_punycode

  4. Change the value from false to true.