Most Apple users install updates, but there are always a small group of people who, for various reasons, lag behind in installing updates, for some reason, legitimate, or not.
If you are one of the users in the last category, please note that the letter "d" is not always the letter "d" when it appears in the Safari address bar.
This may sound like a no problem, but it's actually a very important issue that all Apple users who do not run the latest OS software must be aware of as they may become victims of what security researchers call "IDN homographic attack."
IDN homosexual attack happens when someone registers a domain that uses Unicode characters that look like Latin characters, but they are not. For example, coinḃase.com is an IDM homographic attack for coinbase.com (note the point above the letter b).
These lookalike domains are commonly used for phishing and trick users into believing they have access to a legitimate site when they are
IDN homographic attacks have been a problem over the last year and several events have have been reported in the security news media about homographic attacks against crypto exchange in 201
Driven By this new wave of homicidal attacks, xisigr, a security researcher at Tencent Security Xuanwu Lab, has recently taken a look at how Apple products handle Unicode characters.
What the researcher found is that Apple does a great job with most Unicode characters, except one – the letter stupid (ꝱ) (U + A771), part of the expanded Latin alphabet character set.
The letter looks like a normal Latin letter "d", except that it comes with a lower apostrophe. But xisigr found that Safari did not make the little lower apostrophen, and showed the letter stupid like a Latin letter d.
The Tencent researcher reported his findings to Apple, who released security updates in July for Safari, iOS, macOS, tvOS and watchOS.
Unfortunately, users who have not used these updates are still vulnerable to phishing attacks. An attacker can register domain names that include the letter dump and he can launch phishing campaigns against Apple users.
Xisigr says that the problem should not be ignored because he found that the letter d is part of almost 25 percent of all top 10,000 domains, giving attackers with a large phishing surface.
Some of the domains that a phisher could emulate include LinkedIn, Baidu, Dropbox, Adobe, WordPress, Reddit, or GoDaddy, just to name a few.
Further, although some domain registrars prevent users from registering domain names containing Unicode characters. This limitation does not apply to the letter dummy because it is part of the expanded Latin character, and is therefore considered as a standard Latin character.
If Apple users can not update, at the moment they should notice that the letter "d" in the Safari URL line may not be "d" and they should use another browser to navigate the web to the can apply Apple's July security updates.