Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Taylor Swift? Never heard of her: https://www.google.com/search?q=Τаylοr+Ѕwіft

:D



Kind of surprised at how poorly Google handles this (I would have expected at least a correction suggestion)! Heck, it might open the door for an obscure blackhat/phishing technique...


Not Google, but apparently one way some malware tries to hide edits to, say, the hosts file is to create a duplicate hosts file with the cryllic homoglyph for 'o' and then hide the real hosts file.

Presumably this would trick users who would go check "C:\windows\system32\drivers\etc\" but not show hidden files. Seems like a niche subset, but still a neat trick.


Google operates in a bunch of languages, they can't necessarily just assume you're using codepoints on accident.


Or for shady SEO contracts. Not hard to guarantee #1 results if the contract spells out the exact (unexpected Unicode) phrase you're guaranteeing.


Forget google. Can you do this in domain names?


No, https://en.wikipedia.org/wiki/Domain_name#Technical_requirem... (last paragraph)


No, you're mistaken. It is actually a very big problem. Earlier on the same page you linked to, it explain that "ICANN approved the Internationalized domain name system, which maps Unicode strings used in application user interfaces"[1].

As a concrete example, the following are fake links to Wikipedia (and entirely equivalent):

http://xn--wkd-8cdx9d7hbd.org (FAKE, same as below)

http://www.wіkіреdіа.org (FAKE, same as above)

It is true that network protocols encode these internationalized domain names in a subset of ASCII, but the user sees Unicode in his browser address bar or email. There is no restriction on how applications (like browsers) display domain names[2]; they can use Unicode if they want. This lead to all sorts of devious attacks[3].

[1] https://en.wikipedia.org/wiki/Domain_name#Internationalized_...

[2] https://en.wikipedia.org/wiki/Internationalized_domain_name#...

[3] https://en.wikipedia.org/wiki/IDN_homograph_attack


Maybe some sort of extortion scheme? Send an email to a small business person that isn't very technically savvy, say you have just erased all the search results for their business from Google, provide link, demand a Bitcoin to return the results.

Maybe a low hit rate, but if you could automate it, you could run the scam on a lot of places.


Similar in theme to that trick of sending strangers that "link to your facebook page" (http://facebook.com/profile.php?=73322363)


Can someone explain how this works?


The variable name before "=" is missing, therefore the given profile id gets ignored. Per default your own profile id is assumed.


Any invalid ID redirects to your own page, or something like that.


I see what you did there :)

https://codepoints.net/search?q=https%3A%2F%2Fwww.google.com...


So apparently only the T has been replaced, but why is it showing different values for the "a"?


The 'T', 'a', 'o', 'S', and 'i' were all replaced, not just 'T'


Many have been replaced, with cyrillic counterparts




Consider applying for YC's Winter 2026 batch! Applications are open till Nov 10

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: