Skip to main content

See how hard browsers have to work to identify a fake apple.com website

Way back in 2017, a security researcher created a fake apple.com website where the URL looked completely correct. The trick was that the domain he registered used a unicode character that looks like an “a” but is in fact a Cyrillic character.

Browsers were updated to detect this kind of fakery, but it’s far from a simple process – as a new video (below) illustrates …

Background

We explained at the time how this worked, and noted that Safari was the only major browser to detect it.

The trick employed by the site is to use Unicode characters that look the same as the appropriate ASCII characters for the site impersonated, explains researcher Xudong Zheng.

It is possible to register domains such as “xn--pple-43d.com”, which is equivalent to “аpple.com”. It may not be obvious at first glance, but “аpple.com” uses the Cyrillic “а” (U+0430) rather than the ASCII “a” (U+0061). This is known as a homograph attack.

Safari isn’t fooled by this, but Chrome, Firefox and Opera all are. You can see this for yourself by using any of them to visit https://www.xn--80ak6aa92e.com (this is perfectly safe, it’s a site created by Zheng as a proof of concept). In Safari, you’ll see this URL as it appears here – but in the other browsers it will look exactly like https://www.apple.com.

Other browsers later caught up, but detecting this kind of trick is far more difficult than you might think.

Fake apple.com website challenges

YouTuber NoMagic has created a video explaining why the obvious solutions – like banning the use of Cyrillic characters within URLs – can’t be used.

Potential solutions that sound fine at first glance but would cause chaos in practice include:

  • Banning Cyrillic characters in URLs
  • Banning mixed character sets
  • Displaying warnings for mixed character sets
  • Only display characters used in user-set preferred languages

The video explains the problems with each of these approaches, and what browsers do instead.

It is, as the narrator says, a simple problem requiring surprisingly complex, multi-layered solutions.

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

Comments

Author

Avatar for Ben Lovejoy Ben Lovejoy

Ben Lovejoy is a British technology writer and EU Editor for 9to5Mac. He’s known for his op-eds and diary pieces, exploring his experience of Apple products over time, for a more rounded review. He also writes fiction, with two technothriller novels, a couple of SF shorts and a rom-com!


Ben Lovejoy's favorite gear

Manage push notifications

notification icon
We would like to show you notifications for the latest news and updates.
notification icon
You are subscribed to notifications
notification icon
We would like to show you notifications for the latest news and updates.
notification icon
You are subscribed to notifications