Crashing Systems With a Font: The Homograph Attack

A recently vulnerability was been found to crash many Apple iOS devices (such as WhatsApp, Facebook Messenger and Gmail). It derives from a single character from the alphabet of the Telugu language (and which is a Dravidian language and spoken by over 70 million people). The bug was spotted by the Italian blog, Mobile World.

The vulnerability — known as homograph attack (known since 2001) — was found by a Chinese researcher (Xudong Zheng) and now often used by scammers to trick users in regions of the world. A recent scam used the apple.com domain and was even signed by a valid digital certificate:

This shows that the certificate is valid (as it goes green), but it is not the Apple site. The epic.com site was used as a demonstrator of the vulnerability:

The site looks to be signed by epic.com, but where we see the Common Name (CN) is xn — e1awd7f.com: