Apple users are advised to install the latest iOS July security updates if they want to avoid fall victims to a potentially malicious spoofing attack.
A new wave of so-called “IDN homograph attacks” has begun to spread, and those who have not yet updated their iOS devices to the latest version of the operating system are putting themselves at risk.
Basically, an IDN homograph attack is when someone registers a domain using Unicode characters that look like standard Latin characters, but, in fact, are not. Coin?ase.com, for example, could potentially be an IDN homograph attack for coinbase.com due to the Unicode letter impersonating a b (notice the dot above the letter b).
A domain using these sort of impersonating characters could potentially be used for phishing by duping users into believing that they have indeed accessed the actual site rather than a slick-looking imitation.
A security researcher at Tencent Security Xuanwu Lab has recently taken a look at how Apple products handle Unicode characters, noticing that the letter “d” in your Safari address bar might not always be the letter “d”.
The “Latin small letter dum (U+A771) glyph is very similar to Latin small letter D (U+0064) in Apple products,” writes the researcher. “From the glyph standard of Unicode (U+A771), we can see that there should be a small apostrophe after d, but this is completely ignored in Apple products.” Safari did not render the small lower apostrophe, displaying the letter dum as a Latin letter d.
Such a vulnerability could allow users to fall victims to IDN homograph attacks with popular websites such as LinkedIn, Dropbox, Reddit, GoDaddy, and Wordpress, among many others. The researcher says the issue should not be ignored because he found that the letter d is part of almost 25 percent of all Top 10,000 domains, providing attackers with a massive phishing pool.
According to the researcher, the affected products include Apple watchOS before 4.3.2, Apple iOS before 11.4.1, Apple tvOS before 11.4.1, and Apple macOS High Sierra before 10.13.5.
A simple update the latest version of your device’s operating system should apply Apple‘s latest security patches, allowing users to completely avoid this potential issue. If whatever reason you can’t update, take notice that the letter “d” in Safari’s URL bar may not actually be “d” and use another browser to navigate the web until you can apply Apple’s July security patches.
