If you’ve ever thought, “I can’t keep up with all these new computer threats,” you’re in good company. Hackers and scamers are always finding new ways to trick users into clicking links that downloads malware or steals your information.
One of the latest tactics being used by attackers in phishing attacks is called the Bidi Swap.
What Is The “Bidi Swap Vulnerability”
With the worldwide use of computers, they have to be able to be used in every country. That means a lot of unfamiliar languages and symbols. Some languages, like English, read left to right. Others, like Arabic or Hebrew, read right to left. To make these languages work on the same computer, it includes special bidirectional (Bidi) control characters. These are invisible characters that tell the computer which direction to display the text.
Researchers discovered that attackers could abuse these invisible characters to make it look one way to the person reading it, but run differently when the computer executes it. That’s why it’s called the “Bidi swap,” “Bidi trick,” or “Unicode source code attack.” They’re all talking about the same core idea: invisible characters that confuse how text appears versus how it behaves.
How the Bidi Swap Works
To understand how the Bidi Swap trick works, it helps to understand how a web address works. Even if you don’t remember that a web address is also known as a Uniform Resource Locator, or URL, you see them every day.
Let’s break down the following URL from Microsoft to get help with your computer:
https://support.microsoft.com/help?id=windows
- Protocol: Usually “http://” or “https://” which tells your browser how to connect – with the “s” being more secure.
- Subdomain: Text before the main name, usually for a subsection of a website, like the “support” in support.microsoft.com.
- Domain: The main part of the address, usually the company name, such as microsoft.
- Top-Level Domain (TLD): The ending, like “.com,” “.org,” or “.net.”
- Path: Anything that comes after the domain, such as /help which is usually a more detailed section.
- Parameters / Query Strings: Extra information added after a question mark, such as ?id=windows. This usually tells the webpage more information about what you’re looking for, so that it can display the correct information.
Normally, all of this reads from left to right, but what happens when you mix in text from languages that read right to left, like Hebrew or Arabic? That’s where things get messy. Right-to-left languages have special invisible instructions that tell your computer which direction to show them. When these characters are added into URLs, browsers sometimes rearrange how the address appears, even though the underlying address stays the same.
For example, imagine an extremely simple right-to-left domain in Hebrew:
http://ו.קום
Now let’s add a protocol and a parameter (a piece of extra information):
http://ו.קום\microsoft.com
It still doesn’t look like a normal Microsoft link, but mixing left-to-right and right-to-left characters changes the visual order in surprising ways.
https://microsoft.com.ו.קום
To a quick glance, this can look like you’re visiting something related to microsoft.com, but you’re not. The real domain, the part that matters (ו.קום), is not Microsoft.
Attackers can build on this by adding paths, numbers, or symbols:
https://microsoft.com.ו.קום/ـ/
https://microsoft.com.ו.קום/443:ـ/
https://microsoft.com.ו.קום/1337/ـ/
To the common user, the beginning of the link looks trustworthy – “microsoft.com” – but in reality, everything after the first dot is the actual host name. That means your browser is connecting to a completely unrelated site, even though visually it appears legitimate.
This is howthe Bidi Swap works: Your eyes see one thing. The computer sees another.
It doesn’t “break” the browser it simply plays with how text is shown on the screen, creating a visual illusion. Even trained professionals can be fooled if they don’t look closely at the actual domain.
Why and How Attackers Use This Trick
Quite simply, if the attacker can get you to click the link, they can:
- Take you to a fake login page that steals your credentials or other information
- Get you to download and install malware that looks legitimate or turns legitimate software into spyware
- Get you to visit a spoofed website that looks like a trusted site, such as your bank or a shopping site with incredible deals
- Create a backdoor that gives them access to your computer or gives them access in the future
Similar to attackers using a short URL to hide malicious links, they are using right-to-left characters and rearranging how the URL is displayed. That way, they can make a dangerous link look like it belongs to a trusted company, such as Microsoft, your bank, your email provider, social media, or anywhere else.
Here’s how it’s being used:
Poisoned Software Updates: An attacker might use the Bidi trick to hide bad code in:
- A free tool you download
- An open-source project which developers use in legitimate software
- A browser extension
If you install software from random websites, such as a “free AI tool,” a browser extensions, or pop-up “updates,” you’re at much higher risk.
Malicious Scripts Hidden in Documents: In some cases, invisible characters can be used in scripts embedded in documents, spreadsheets, presentations, PDFs, and email attachments. These are often disguised as invoices, billing statements, fake shipping notices, and password reset notifications. That “innocent looking” file attached to an email or message could contain hidden logic designed to run code without you realizing it.
Tampered Websites or Online Tools: If attackers succeed at getting you to click on the link, they’ll often redirect you to dangerous sites, direct you to a spoofed website or fake login page, or will trigger malicious software to download automatically. While you might feel like you’re on a familiar or trusted website, these unseen changes in the code are working behind the scenes.
Unfortunately, It’s Not Being Caught
Once this issue was made public, major software providers, compilers, and platforms took it seriously. Many now warn users when they see suspicious Bidi characters in code or URLs and reject code with these invisible characters. However, recent testing found that web browsers weren’t always warning users sufficiently.
Chrome: While Chrome’s “Navigation suggestion for lookalike URLs” feature provides partial protection, it seems to only flag certain domains (e.g., “google.com”), letting many others fly under the radar.
Firefox: Rather than relying on suggestions for lookalike URLs, Firefox takes a different approach, highlighting key parts of the domain in the address bar. Of these browsers, Firefox makes it easier for users to spot potential spoofs or suspicious links.
Edge: We could not find any warnings or highlights for these domains, and the bidi swap url still appears.
While virus protections may be able help if you downloand malware or spyware after you download something, it’s important to continue to closely examine URLs before clicking on a link.
What You Need to Do
You don’t have to be able to read code, but there are some things you can do. These steps don’t just help with the Bidi Swap issue. They help with a lot of other threats too.
Keep Everything Updated with Security Updates
When companies learn about vulnerabilities like this, they usually release security updates. Those updates often include behind-the-scenes fixes or warning notifications for issues just like this one. Turn on automatic updates for your computer, software, and phone, and when your device says, “A restart is required to finish installing updates,” don’t put it off.
Only Install Software from Trusted Sources
Malware is most dangerous when it’s malicious code hidden inside of downloaded programs or browser add-ons. Only use trusted app stores to download software to your phone or computer, and avoid downloading software from pop up ads, “free” download sites, or random links in emails or social media messages. We’ve already warned people about pop ups that say, “Your computer is infected! Click here to install our security tool!” – that’s not help, that’s a trap.
Be Cautious of Unexpected Links or Attachments
Quite simply, if you didn’t expect a link or file, don’t recognize the sender, or the link or filename looks odd – don’t click or open the attachment. If you’re not sure about something from an individual, call or message the person, using a known number or contact method. And don’t reply back to the email or call the phone number within the email, since it’ll likely go directly back to the attacker. If it looks like it’s from a legitimate company, go directly to their website, or call their customer service number.
Use Security Tools and Software
First, use the software that’s built into your device, such as Windows Security, or XProtect/Gatekeeper on a Mac. Having a quality antivirus tool installed and updated can better help detect and block many potential issues. Consider more comprehensive protection such as Norton Antivirus, McAfee, Bitdefender, or Kaspersky.
Be Careful with Browser Extensions
Browser extensions (add-ons for Chrome, Edge, etc.) are a common place where attackers try to sneak in hidden code. You should only install extensions you truly need, aand get them from the browser’s official extension store. Be sure to check the extensions often, and delete any you don’t use often. If a website says, “To continue, please install this browser extension,” that’s a red flag.
Turn On Multi-Factor Authentication (MFA)
Even if something slips past your defenses, and you accidentally share your credentials, having MFA can help protect your accounts and limit the damage. We’ve share information on how you can set up MFA for your various accounts. It’s also important to use unique passwords for each account, so that if an attacker manages to steal one password, they can’t reuse it to access your other accounts. We’ve also shared how a password manager can help with this. There are numerous password managers available on the market, both free and paid. Here are some you may consider:
Being Aware of the Bidi Swap Trick
The Bidi Swap trick may sound complicated, but the goal behind it is simple: attackers want to make dangerous links look trustworthy so you’ll click without thinking. They rely on confusion, distraction, and split-second decisions. The good news is that you don’t have to spot invisible characters or understand how browsers handle different languages to stay safe. You just need to follow the same smart habits that protect you from every other online scam. Keep your devices updated, only install apps from trusted sources, slow down and double-check unexpected links or attachments, and use strong security tools like antivirus and multi-factor authentication. Attackers may use new tricks, but the defenses that keep you safe remain surprisingly consistent. With a few cautious habits and an eye for anything that feels “off,” you can stay ahead of these scams and keep your information and devices far out of harm’s way.