BiDi Swap URL Spoofing Exploiting Bidirectional Text

First reported

28.10.2025 16:05

Last updated

1 unique sources, 1 articles

Summary

Hide ▲

A decade-old vulnerability in how browsers handle Right-to-Left (RTL) and Left-to-Right (LTR) scripts can be exploited to create deceptive URLs. This technique, known as BiDi Swap, allows attackers to craft URLs that appear legitimate but redirect users to malicious sites. The issue primarily affects subdomains and URL parameters, making it a significant risk for phishing attacks. The BiDi Algorithm, part of the Unicode Standard, is designed to handle mixed LTR and RTL scripts but struggles with subdomains and URL parameters, leaving a gap for potential exploitation. Various browsers have partial mitigations, but the problem persists. Awareness and improved browser protections are recommended to combat this threat.

Timeline

28.10.2025 16:05 1 articles · 13d ago

BiDi Swap URL Spoofing Exploit Detailed
The BiDi Swap vulnerability, which exploits how browsers handle RTL and LTR scripts, has been detailed by Varonis Threat Labs. This technique allows attackers to create deceptive URLs that appear legitimate but redirect users to malicious sites. The issue primarily affects subdomains and URL parameters, making it a significant risk for phishing attacks. Various browsers have partial mitigations, but the problem persists. Awareness and improved browser protections are recommended to combat this threat.
Show sources

BiDi Swap: The bidirectional text trick that makes fake URLs look real — www.bleepingcomputer.com — 28.10.2025 16:05
Open in new tab

Information Snippets

BiDi Swap exploits how browsers handle RTL and LTR scripts to create deceptive URLs.
First reported: 28.10.2025 16:05

1 source, 1 article
Show sources
- BiDi Swap: The bidirectional text trick that makes fake URLs look real — www.bleepingcomputer.com — 28.10.2025 16:05
The BiDi Algorithm struggles with mixed LTR–RTL URLs, especially in subdomains and URL parameters.
First reported: 28.10.2025 16:05

1 source, 1 article
Show sources
- BiDi Swap: The bidirectional text trick that makes fake URLs look real — www.bleepingcomputer.com — 28.10.2025 16:05
Chrome has a partial mitigation with its 'Navigation suggestion for lookalike URLs' feature.
First reported: 28.10.2025 16:05

1 source, 1 article
Show sources
- BiDi Swap: The bidirectional text trick that makes fake URLs look real — www.bleepingcomputer.com — 28.10.2025 16:05
Firefox highlights key parts of the domain in the address bar to help users spot potential spoofs.
First reported: 28.10.2025 16:05

1 source, 1 article
Show sources
- BiDi Swap: The bidirectional text trick that makes fake URLs look real — www.bleepingcomputer.com — 28.10.2025 16:05
Microsoft Edge was informed of the issue but the URL representation remains unchanged.
First reported: 28.10.2025 16:05

1 source, 1 article
Show sources
- BiDi Swap: The bidirectional text trick that makes fake URLs look real — www.bleepingcomputer.com — 28.10.2025 16:05
The Arc browser, no longer developed, had a correct implementation for handling BiDi Swap.
First reported: 28.10.2025 16:05

1 source, 1 article
Show sources
- BiDi Swap: The bidirectional text trick that makes fake URLs look real — www.bleepingcomputer.com — 28.10.2025 16:05
Varonis recommends awareness, improved browser protections, and user education to combat BiDi Swap.
First reported: 28.10.2025 16:05

1 source, 1 article
Show sources
- BiDi Swap: The bidirectional text trick that makes fake URLs look real — www.bleepingcomputer.com — 28.10.2025 16:05

Summary

Timeline

BiDi Swap URL Spoofing Exploit Detailed

Information Snippets