Ddos 
The Varonis Threat Labs team has published an eye-opening report about a persistent vulnerability in how modern browsers handle mixed text direction, a flaw that has lingered for more than ten years. This weakness, known as BiDi Swap, allows attackers to craft deceptive URLs that look legitimate while secretly redirecting victims elsewhere.
The core issue lies in the way browsers interpret Left-to-Right (LTR) and Right-to-Left (RTL) scripts, such as English and Arabic. According to Varonis, “by exploiting how browsers handle Right-to-Left (RTL) and Left-to-Right (LTR) scripts, attackers can craft URLs that appear trustworthy but actually lead somewhere else, therefore this method, known as BiDi Swap, can be often abused in phishing attacks.”
This problem builds on a history of Unicode tricks used for spoofing, including:
- Punycode homograph attacks, which replace Latin characters with near-identical Cyrillic or Greek letters (e.g., “аpple.com” vs. “apple.com”).
- RTL override exploits, which use Unicode control characters to disguise malicious file extensions, turning blafdp.exe into the seemingly harmless blaexe.pdf.
Together, these tactics demonstrate how minor text-handling quirks can create major security risks.
The vulnerability lies in the Bidirectional (Bidi) Algorithm, a Unicode standard meant to correctly render mixed-language text. While effective in many cases, Varonis explains that “the Bidi Algorithm usually handles domains decently, it struggles with subdomains and URL parameters. This gap means mixed LTR–RTL URLs might not display as intended, creating an open door for mischief.”
For example, attackers can blend scripts to mimic trusted domains:
At a quick glance, these spoofed links can trick users into believing they’re interacting with a legitimate site.
Despite being a known issue for over a decade, browser vendors have yet to deliver a comprehensive fix. Varonis points out that “Chrome’s ‘Navigation suggestion for lookalike URLs’ feature provides partial protection, but our testing shows it only flags certain domains (e.g., ‘google.com’), letting many others fly under the radar.”
Firefox, on the other hand, takes a different approach by highlighting key parts of the domain in the address bar to help users detect suspicious links. Microsoft’s Edge team reportedly marked the issue as “resolved,” but URL representation remains unchanged.
Varonis concludes that user awareness remains critical: “Always verify suspicious URLs — especially those that mix scripts or show unexpected patterns.” The team also urges browser developers to strengthen domain highlighting and lookalike detection, while organizations should continue educating users about link safety.
Related Posts:
- Microsoft 365 “Direct Send” Abused: Phishing Campaign Spoofs Internal Users, Bypasses Security
- Cybercriminals Exploit Swap Files: New E-commerce Skimming Tactic
- FCC Takes Aim at SIM Swapping Fraud, Protecting Consumers from Billions in Losses
- Cybercriminal Arrested in Connection with SEC X Account Hack That Manipulated Bitcoin Market
- “Unicode QR Code Phishing”: The New Threat You Need to Know
Donate