Article Details

BiDi Swap: The bidirectional text trick that makes fake URLs look real. Varonis Threat Labs is shining a spotlight on a decade-old vulnerability that opens the door to URL spoofing. By exploiting how browsers handle Right-to-Left (RTL) and Left-to-Right (LTR) scripts, attackers can craft URLs that appear trustworthy but actually lead somewhere else, therefore this method, known as BiDi Swap, can be often abused in phishing attacks. Past Unicode attacks and spoofing Before BiDi Swap, several Unicode-based tricks were used to fool both users and browsers into displaying deceptive text or URLs. Two standout examples are: While these control characters are necessary for handling right-to-left languages properly, they can also mask dangerous content or rearrange the layout, so a site or file name appears safe at a quick glance. These past attacks set the stage for BiDi Swap by revealing how tiny nuances in text handling can have big security consequences and how ongoing vigilance is needed to prevent these spoofing tricks. LTR, RTL and BiDi who? When it comes to text direction, many languages, like English or Spanish, flow left to right (LTR), while others, such as Arabic or Hebrew, go right to left (RTL). This mix can be a challenge for computers, which need to keep everything aligned so text doesn’t become a scrambled mess. That’s where the Bidirectional (Bidi) Algorithm steps in. Part of the Unicode Standard, Bidi helps computers correctly display LTR and RTL scripts in the same text. However, while the Bidi Algorithm usually handles domains decently, it struggles with subdomains and URL parameters. This gap means mixed LTR–RTL URLs might not display as intended, creating an open door for mischief. Download the Varonis 2025 State of Data Security Report Our team analyzed data from 1,000 real-world IT environments and found that no organization was breach-proof. In fact, 99% of organizations have exposed sensitive data that can easily be surfaced by AI. URL structure Here’s a quick refresher on what a URL is and how it’s structured: A URL (Uniform Resource Locator) is a standardized way to point to resources on the web, and it typically contains several key components: Bidi swap Let’s start with something simple: a regular right-to-left (RTL) host (domain + TLD) might look like this (Yes, we got a one-letter host):  Now, let’s add a protocol and mix in both RTL and LTR parameters:  Notice how placing parameters on the right quickly becomes confusing. Next, let’s try adding an English parameter that looks like another domain name:  That still doesn’t yield the expected behavior. Now, let’s see what happens when we try to mimic a subdomain:  Combining an LTR subdomain with some RTL parameters:  More payloads  Try it yourself: Change the varonis subdomain to any domain you like and watch the magic happen! Disclaimer: This site is provided as-is and is intended solely for educational and informational purposes. It demonstrates a proof-of-concept related to browser behavior and potential misuse. The user assumes full responsibility for any use of the code or techniques presented herein, including any consequences that may arise. The authors and maintainers of this site do not endorse or encourage misuse, and no liability is accepted for any actions taken based on this content. Browser mitigations Chrome Bidi Swap has been a known issue in Chrome for over a decade. While Chrome’s “Navigation suggestion for lookalike URLs” feature provides partial protection, our testing shows it only flags certain domains (e.g., “google.com”), letting many others fly under the radar. Firefox Firefox has also recognized this as a longstanding issue. However, rather than relying on suggestions for lookalike URLs, Firefox takes a different UI approach. By highlighting key parts of the domain in the address bar, Firefox makes it easier for users to spot potential spoofs or suspicious links. Edge We informed Microsoft and they marked the issue as resolved, but the URL representation seems to remain unchanged. ARC Arc is no longer developed, but here is an example of a browser that did it right: Conclusion and recommendations To combat BiDi Swap, follow these recommendations: Discover more from the Varonis Threat Labs team on our blog. End-to-end approach to stop breaches By offering Varonis Interceptor’s unmatched threat detection with the Varonis Data Security Platform and MDDR service, we are speeding up our ability to stop data breach attempts earlier in the attack chain.  Varonis integrates directly with email services like Microsoft Exchange Online to classify inbound and outbound traffic containing sensitive information, remediate posture issues on exposed mailboxes, and monitor anomalous email traffic for insider risks using industry-leading behavior analytics.  The addition of Varonis Interceptor represents a significant advancement in end-to-end email and browser security. By harnessing the power of multimodal AI, it more effectively identifies and mitigates phishing threats than current solutions in the market. Varonis Interceptor allows businesses to confidently protect their inboxes and, subsequently, the sensitive data in their digital estate.  Want to see what Interceptor can do faster? Request a demo today. Sponsored and written by Varonis.