https://arstechnica.com/security/2017/0 ... -you-want/
Cliff Notes version: Malicious sites can spoof URLs (and potentially HTTPS credentials as well!) of legit sites by using similar-looking Unicode characters from other languages in the URL. Chrome, Firefox, and Opera are vulnerable; a just-released version of Chrome patches the vulnerability for that browser.