The Invisible Trap: How a 10-Year-Old BiDi Swap Vulnerability Still Threatens Web Security

Listen to this Post

Featured Image

🎯 Introduction

In the fast-moving world of cybersecurity, not all threats are born yesterday. Some lurk quietly for years, waiting for the perfect moment to strike. One such hidden danger is BiDi Swap, a decade-old URL spoofing trick that continues to fool even experienced users and evade browser protections. Originally discovered years ago, this vulnerability exploits the complex way browsers handle mixed text directions—Right-to-Left (RTL) and Left-to-Right (LTR)—to create URLs that look trustworthy but lead elsewhere.

Now, Varonis Threat Labs is reigniting the discussion, warning that this subtle flaw could become a powerful weapon in modern phishing attacks, especially as artificial intelligence makes social engineering even more convincing.

🧩 A Decade-Old Deception in the Digital Age

The BiDi Swap vulnerability takes advantage of how browsers interpret mixed text directions. Languages like English or Spanish read left-to-right, while Arabic and Hebrew read right-to-left. This coexistence often confuses the Bidirectional (BiDi) Algorithm, part of the Unicode Standard responsible for displaying text correctly in both directions.

When used in web addresses, these text direction switches can make URLs appear reversed or rearranged. For example, a domain may look like “secure.bank.com,” but actually redirect to “com.fakebank.secure.” In phishing emails, such manipulations are gold for attackers—they create links that seem safe at a glance but lead directly into traps.

This is not the first Unicode trick hackers have used. Before BiDi Swap, the digital landscape had already seen Punycode Homograph Attacks and RTL Override Exploits, where attackers used visually identical characters or hidden text direction switches to deceive users.

Punycode Homograph Attacks replaced common Latin letters with nearly identical Cyrillic or Greek characters—making fake websites like “аpple.com” or “раypal.com” indistinguishable from the real ones.

RTL Override Exploits used Unicode control characters like U+202E to flip text direction, disguising harmful file extensions or URLs. What looked like a harmless “document.pdf” could actually be a “malware.exe” in disguise.

These attacks revealed how a single invisible character can change everything. BiDi Swap builds on that history, using the same linguistic complexity to bypass visual trust.

⚙️ How BiDi Swap Works Behind the Scenes

To understand BiDi Swap, one must first understand the structure of a URL. Each web address follows a consistent pattern:

Protocol: Defines how the site is accessed (e.g., “https://”)

Subdomain: Organizes site content (e.g., “www.”

in “www.example.com”

)

Domain and TLD: The recognizable part of the site (e.g., “example.com”)

Path and Parameters: Specify the exact resource or data being accessed (e.g., “/post?id=123”)

When attackers combine LTR and RTL scripts in these segments, the browser sometimes misinterprets how to display them. A domain that should appear as “abc.def.com” might show as “com.def.abc” or worse—partially hidden.

This means a phishing site hosted at “malicious.example.com” could easily appear to be “example.com/malicious,” giving users a false sense of safety.

🔒 Why Browsers Struggle to Stop It

Despite being known for over a decade, major browsers still grapple with BiDi Swap.

Chrome: Google’s browser has partial protection through its “Navigation Suggestions for Lookalike URLs” feature, which warns users about domains that resemble popular sites. But according to Varonis tests, only high-profile domains like “google.com” trigger alerts, leaving smaller or lesser-known ones vulnerable.

Firefox: Mozilla took a UI-based approach instead, emphasizing key domain sections in the address bar to help users spot suspicious links. It’s a more user-friendly fix, though not foolproof.

Microsoft Edge: Although Microsoft has marked the issue “resolved,” inconsistencies remain in how URLs with mixed scripts are displayed.

Arc Browser: While no longer maintained, Arc once showcased how BiDi handling could be done correctly—offering a rare example of proactive design.

This long-standing inconsistency underscores a larger problem: browser-level mitigations are fragmented, and user awareness remains dangerously low.

🛡️ The Modern Context: Why It Matters More Today

In 2025, phishing has evolved far beyond the crude scams of the early internet. With AI-driven content generation, attackers can craft personalized, convincing messages and combine them with deceptive URLs that pass both visual and technical scrutiny.

Varonis Threat Labs’ latest report on the State of Data Security 2025 analyzed over 1,000 IT environments and found that 99% of organizations have exposed sensitive data that AI tools could easily exploit.

That’s why BiDi Swap isn’t just a curiosity—it’s a potential disaster multiplier. A single deceptive URL could bypass email filters, fool executives, and unlock a chain of breaches.

⚔️ Fighting Back: Awareness and Action

To mitigate the risk, experts recommend a mix of human vigilance and technical reinforcement:

Always verify URLs before clicking, especially when scripts or symbols seem unusual.

Encourage browser improvements that emphasize true domain names, not just display text.

Educate employees to hover over links, inspect SSL certificates, and check full domain paths.

A few seconds of skepticism can prevent days of damage.

Meanwhile, Varonis Interceptor, an advanced threat detection system integrated into the Varonis Data Security Platform, uses multimodal AI to catch phishing attempts and email-based intrusions before they reach users. This AI-driven solution scans both inbound and outbound traffic, remediates exposure risks, and monitors for abnormal activity—creating an end-to-end shield against digital deception.

💡 What Undercode Say:

BiDi Swap may seem like an old ghost in the machine, but its persistence reveals something deeper about cybersecurity: the hardest problems are often human perception, not code.

Browsers are built to display information clearly, but attackers exploit that trust. When a single invisible Unicode character can flip the meaning of a web address, the line between authentic and fraudulent becomes razor thin.

From a strategic perspective, this flaw highlights a blind spot in browser security models. Most protections focus on network traffic, SSL validation, and known phishing databases. Few account for the psychological deception of mixed-script URLs.

The real risk isn’t just in the code—it’s in visual manipulation. As users, we rely on visual cues like lock icons or familiar spellings. BiDi Swap undermines both.

For cybersecurity teams, the takeaway is clear: prevention must evolve from syntax to semantics. Threat detection systems should analyze not only where a link points, but how it visually represents itself. Machine learning models could play a crucial role here, scanning for directional inconsistencies or mismatched Unicode patterns.

Meanwhile, browser vendors must move beyond cosmetic patches. The ideal defense would render mixed-script URLs in a standardized, unambiguous format—perhaps displaying both their encoded form and visual rendering side by side.

From an organizational standpoint, education is the most powerful tool. Teaching users the difference between “https://secure.bank.com”

and “https://com.bank.secure”

could save millions in breach costs.

Ultimately, BiDi Swap is a reminder that language, typography, and trust are now cybersecurity frontiers. In an age of AI-powered phishing, even the direction of text can decide the fate of a company.

🔍 Fact Checker Results

✅ BiDi Swap is a real, decade-old browser vulnerability recognized by major browsers.
✅ Punycode and RTL-based spoofing have historically enabled phishing attacks.
❌ No major browser has fully neutralized the BiDi Swap display issue yet.

📊 Prediction

🔮 As phishing attacks become AI-enhanced, visual deception tactics like BiDi Swap will resurface in new forms.
💼 Expect browser developers to prioritize visual URL verification systems and Unicode normalization in future updates.
🧠 Human education and AI-driven threat monitoring will remain the strongest defenses against the oldest trick in the book—trusting what you see.

🕵️‍📝✔️Let’s dive deep and fact‑check.

References:

Reported By: www.bleepingcomputer.com
Extra Source Hub (Possible Sources for article):
https://www.stackexchange.com
Wikipedia
OpenAi & Undercode AI

Image Source:

Unsplash
Undercode AI DI v2
Bing

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeNews & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon