SOLVED Firefox Users - Homograph Attack Punycode Flaw - Mitigation.


Chief Operations Officer
Apr 13, 2017
Reaction score
Until browsers such as Firefox/Chrome/Opera etc. are patched, some sophisticated phishing attack almost impossible to detect that takes advantage of the punycode function in browsers.

A couple of demo sites exits to show how this vulnerability is exploited, this is also a good opportunity to find out if your browser is vulnerable. will appear as will appear as https://www.еріс.com

Both demo sites are showing valid HTTPS certificates and most users would probably find it difficult to tell the difference, were these demo sites be malicious and also duplicate all content.

A simple method to verify that the site that you are viewing is not the site you intended to visit in such cases where exploits are being used maliciously, is to carefully examine the security certificate.

While Mozilla is still talking about possibilities for a fix, Google has already patched the vulnerability in Chrome Canary 59 and with the release of Chrome Stable 58 a permanent fix is realised.

Meanwhile a a temporary mitigation method for Firefox users exists by setting the network.IDN_show_punycode to true. Follow these steps below:

  1. Type about:config in address bar and press "Enter".
  2. Type Punycode in the search bar.
  3. Look for the parameter titled: network.IDN_show_punycode,
  4. Double-click or right-click and select Toggle to change the value from false to True.
And that it, remember to switch this setting back when a proper fix is released.
With network.IDN_show_punycode set to true the demo sites above will show the true URL domains.

News and fix source at :


Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads