Varonis Threat Labs is shining a spotlight on a decade-old vulnerability that opens the door to URL spoofing.
By exploiting how browsers handle Right-to-Left (RTL) and Left-to-Right (LTR) scripts, attackers can craft URLs that appear trustworthy but actually lead somewhere else. Therefore, this method can often be abused in phishing attacks.
LTR, RTL and BiDi who?
When it comes to text direction, many languages, like English or Spanish, flow left to right (LTR), while others, such as Arabic or Hebrew, go right to left (RTL). This mix can be a challenge for computers, which need to keep everything aligned so text doesn’t become a scrambled mess. That’s where the Bidirectional (Bidi) Algorithm steps in.
Part of the Unicode Standard, Bidi helps computers correctly display LTR and RTL scripts in the same text.
However, while the Bidi Algorithm usually handles domains decently, it struggles with subdomains and URL parameters. This gap means mixed LTR–RTL URLs might not display as intended, creating an open door for mischief.
Past unicode attacks and spoofing
Before BiDi Swap, several Unicode-based tricks were used to fool both users and browsers into displaying deceptive text or URLs. Two standout examples are:
- Punycode Homograph Attacks: Internationalized Domain Names (IDNs) let websites use non-Latin characters (e.g., Russian “а,” Cyrillic “с,” or Greek “ο”) that look nearly identical to well-known Latin letters. This can create spoofed domains like “apple.com” or “paypal.com” with only minor character differences. Browsers do convert these for consistent handling (e.g., “xn--something”), but attackers often sneak in visually identical characters, tricking people into believing they’re on a legitimate site.
- RTL Override Exploits: Some attackers embed special Unicode characters (e.g., U+202E) that flip text direction mid-string. This can disguise URL paths, make file extensions look harmless, or reorder text to hide malicious file endings like:
“blafdp.exe” -> “blaexe.pdf”
While these control characters are necessary for handling right-to-left languages properly, they can also mask dangerous content or rearrange the layout, so a site or file name appears safe at a quick glance.
These past attacks set the stage for BiDi Swap by revealing how tiny nuances in text handling can have big security consequences - and how ongoing vigilance is needed to keep these spoofing tricks at bay.
URL structure
Here’s a quick refresher on what a URL is and how it’s structured: A URL (Uniform Resource Locator) is a standardized way to point to resources on the web, and it typically contains several key components:
- Protocol (Scheme): This defines how the resource is accessed, for example “http://” or “https://.”
- Subdomain: An optional part before the main domain (e.g., “www.” in “www.example.com”), which can organize content within larger sites
- Domain: The core part of the address (e.g., “example”)
- Top-Level Domain (TLD): The ending of the domain name (e.g., “.com,” “.org,” “.net”) that often indicates the purpose or geographical location
- Path: The directory or file structure that appears after the domain (e.g., “/blog/posts”)
- Query String/Parameters: Key-value pairs used to pass extra information to the server, usually starting with a question mark (e.g., “?id=123”)
Bidi swap
Let’s start with something simple: a regular right-to-left (RTL) host (domain + TLD) might look like this (yes, we got a one letter host):
- ו.קום
Now, let’s add a protocol and mix in both RTL and LTR parameters:
- http://ו.קום\פרמטר
- http://ו.קום\parameter
Notice how placing parameters on the right quickly becomes confusing. Next, let’s try adding an English parameter that
looks like another domain name:
- http://ו.קום\varonis.com
That still doesn’t yield the expected behavior. Now, let’s see what happens when we try to mimic a subdomain:
- https://ורוניס.קום.ו.קום
- https://varonis.com.ו.קום
Combining an LTR subdomain with some RTL parameters:
- https://varonis.com.ו.קום\פרמטר
More payloads
- https://varonis.com.ו.קום/ـ/
Browser mitigations
Chrome
Bidi Swap has been a known issue in Chrome for over a decade. While Chrome’s “Navigation suggestion for lookalike URLs” feature provides partial protection, our testing shows it only flags certain domains (e.g., “google.com”), letting many others fly under the radar.
Firefox
Firefox has also recognized this as a longstanding issue. However, rather than relying on suggestions for lookalike URLs, Firefox takes a different UI approach. By highlighting key parts of the domain in the address bar, Firefox makes it easier for users to spot potential spoofs or suspicious links.
Edge
We informed Microsoft and they marked the issue as resolved, but the URL representation seems to remain unchanged.
ARC
This is an example of a browser that is doing it right:
Conclusion and recommendations
- Awareness is key: Always verify suspicious URLs - especially those that mix scripts or show unexpected patterns
- Push for improvement: Browser developers should refine existing protections like domain highlighting and lookalike detection to close these security gaps
- Educate users and teams: Encourage everyone to hover over links, confirm SSL certificates, and check domain consistency. A few extra seconds can thwart a major security risk.
Discover more from the Varonis Threat Labs team on our blog.
