Wow, this is dangerous...

[JetLinus]

It's just about Internet Explorer again, but it's been known for quite some time now, and as lot of people are using IE...

Well, you know, you can type in adresses in the format of

Code:

http://username:password@hostname

Alright, nothing new.
But if you include ASCII Char 0x01 in the part before the url, only this bit will be shown.

Example: What would you think, this link goes to:

Code:

http://pirate.planetarion.com/register.php?do=signup&[email protected]

Yeah, well, LOOKS like it would register you on the boards, including my email as referrer (some websites do this sort of thing).
Ok, that's the first glance. Good informed people know, that there can't be "@"-chars in an url. But who would mistrust that link?

In reality, it will bring you to (my non-existing imaginary) website jetworld.de
All I had to do was copy the signup page of these boards, and steal your password.

It's all shit, innit?

Try THIS link: http://www.microsoft.com. Looks like you are visiting microsoft.com, but you obviously aren't...
I know, the status bar reveals the truth, but using javascript, you could easily fake it as well...

Bad world :-/

[Raging.Retard]

OMG OMG OMG !!! INTERNET IN BEING OMG WTF PWNED SHOCKAH.

I heard that there are these things called busses... that move around and are normal. BUT if you step infront of them bad things could happen! Lets ban busses.

[JetLinus]

When it comes to eBay and PayPal accounts, it stops being funny, you know.
Also, it's not just about us tech-guys, geeks, and freaks.

It's about the "normal" people, getting spam emails, doing their course work for uni, normal work, whatever, and getting viruses and trojans by this stupid method.
That's what I meant.

I could have also tried to trick some people of you, but as I told you know, you probably won't fall for it anymore (assuming you're using IE somewhere).


Let's ban busses, if they go with 100miles an hour and are stealth and go over the pavements, where they drive over your girlfriend.
If they're good and stop at red lights, they're ok....

[Raging.Retard]

How is this any worse than someone linking to a trojan EXE? Any reputable company isnt going to do it, and if the link isnt from someone reputable... they why are you clicking on it? Its like the people that click every link they see on IRC.

There are far worse things to be concerned about if you use IE than a disguised URL from someone you shouldnt be trusting anyway. The ability for websites to execute arbitary code for 90% of (un patched) IE users is of a far greater concern.

[ComradeRob]

Quote:

Originally Posted by JetLinus

It's just about Internet Explorer again, but it's been known for quite some time now, and as lot of people are using IE...

Well, you know, you can type in adresses in the format of

Code:

http://username:password@hostname

Alright, nothing new.
But if you include ASCII Char 0x01 in the part before the url, only this bit will be shown.

Example: What would you think, this link goes to:

Code:

http://pirate.planetarion.com/[email protected]

Yeah, well, LOOKS like it would register you on the boards, including my email as referrer (some websites do this sort of thing).
Ok, that's the first glance. Good informed people know, that there can't be "@"-chars in an url. But who would mistrust that link?

I probably wouldn't have noticed it myself. However, I can't see anything too harmful about it.

Quote:

Originally Posted by JetLinus

In reality, it will bring you to (my non-existing imaginary) website jetworld.de
All I had to do was copy the signup page of these boards, and steal your password.

It's all shit, innit?

Try THIS link: http://www.microsoft.com. Looks like you are visiting microsoft.com, but you obviously aren't...
I know, the status bar reveals the truth, but using javascript, you could easily fake it as well...

Bad world :-/

Uh-huh...

If you want to see [i]any[/url] then you have to check the status bar - the link could be 'http://www.evilhackersite.com/trojan.php', the only way to see this would be to check the status bar (or tooltip). So in fact it's no different to a normal link... if you click on a link that you don't trust, you're taking your own risk.

The problem isn't a problem with IE, it's a problem with URLs. The URLs you posted are perfectly valid URLs, and would fool people using other browsers just as easily. The lesson, I suppose, is to be careful about the URLs you click on, no matter which browser you use.

[JetLinus]

Quote:

Originally Posted by Raging.Retard

How is this any worse than someone linking to a trojan EXE?

The trojan.exe wouldn't run automatically, pretending to be something else. You would clearly get some sort of "save as" or "open" messagebox, etc. It's easier to spot, and there are security features, that won't directly execute any file.

Quote:

Originally Posted by Raging.Retard

Any reputable company isnt going to do it, and if the link isnt from someone reputable... they why are you clicking on it? Its like the people that click every link they see on IRC.

Yes, but it can't be a perfect world where things you click aren't the stuff they seem to be... There are borderlines, you know, a greyish zone.
What, if some of your good mates sends you an ICQ msg or IRC pm, containing an eBay link to a product he really thinks is funny?
You click it, but it''s a fake website. You log in, and wooooosh, you passwort is gone.
Maybe your mate doesn't even want to trick you: He fell for it as well, and then he's spreading it...

Quote:

Originally Posted by Raging.Retard

The ability for websites to execute arbitary code for 90% of (un patched) IE users is of a far greater concern.

You put it into brakets: Unpatched. Thats the point: This "URL-disguising" works in some versions of IE5 and in all versions of IE6. Totally patched. You can never be sure.

But you CAN try to make sure, that no code is executed.
You disable different scripts, get a nice virus scanner and firewall, build sandboxes etc.
Still, you will NEVER disable clicking on Links.
It's entirely up to you, and we humans DO make mistakes (like when you're tired late at night or whatever).

Think of someone sending you a link to a scanreport or all those PA-related stuff. And you aren't really on the "official" scanreport site...

Quote:

Originally Posted by ComradeRob

If you want to see any url then you have to check the status bar - the link could be 'http://www.evilhackersite.com/trojan.php', the only way to see this would be to check the status bar (or tooltip). So in fact it's no different to a normal link...

Well, you can EASILY set status-messages using JavaScript, and you can fake this description to look "normal". ToolTips as well...
Also, you can use form-buttons, you know, like "Login" or "Submit", and they don't show any status messages.

Quote:

Originally Posted by ComradeRob

The problem isn't a problem with IE, it's a problem with URLs. The URLs you posted are perfectly valid URLs, and would fool people using other browsers just as easily. The lesson, I suppose, is to be careful about the URLs you click on, no matter which browser you use.

I don't know if this sort of "usernameasswort@host" works in other browsers. But I do suppose, they don't have that 0x01 bug.
Also, it's clearly a bug in IE, that it doesn't show which page your on.

Ok ok, I know, you must ALWAYS be careful, but HEY, it's defenitely not ok this way. I'm just so annoyed.


I could easily say now:
Hey, have a look in this nice thread over there, it has all been said before. Here's a link for you.
You get a page that looks like PABoards. In fact, it's an exact copy. But when you want to post, reply, or straight at the beginnig, it says, that you're not logged in.
Your cookie has expired. The thread is too old, whatever.
I really do wonder, who many people would fall for it, and enter their user name and passwort again.

Reffer them back to the original site, and they wont even notice.

Really, I think it's quite serious (you should have noticed ^^).
Might wanna call me paranoid

[pablissimo]

mIRC* and ICQ and the like shouldn't parse those as URLs. The only way this seems to be any use at all is if you go to a webpage with a link on it (though if you're on a reputable site there's not going to be an issue), or you get a link via an email (which would be parsed out on Hotmail I guess, haven't tried but since they htmlify every link it seems logical).

I don't see the big deal.

* mIRC shows you a square box in place of the 0x01, so you'd know something was up straight away.

[queball]

Actually, the slash makes it not a username.
Try it!
http://pirate.planetarion.com/[email protected]

[Banned]

Am I the only one who noticed the cnn.com (and similar) spoof sites using this years ago?

[Banned]

JetLinus needs to learn how to read.

[JetLinus]

Quote:

Originally Posted by Banned

JetLinus needs to learn how to read.

Well, yes, uhm, doesn't that proove my point? No?
IMO it does actually...

[W]

Stupid people getting what they deserve.

[hyfe]

Quote:

Originally Posted by W

Stupid people getting what they deserve.

heh... soo... how exactly does stupidity come into the picture? Computers users in general have learned to distrust content on unknown sites. But that isn't really the problem here, the problem is that once you're at a new site, users generally tend to trust their browser. (I certainly had something as simple as the address bar on my 'trusted thingies list' atleast).

(If you're arguing that anybody who uses IE is stupid, I might be more inclined to agree though..)

[W]

Quote:

Originally Posted by hyfe

...trust their browser...uses IE...

I'm not saying it's exceptionally stupid. It's a very very common form of stupidity that affects almost everyone. But you still deserve to (and have a right to) pay for your mistakes. Once your account is dry, perhaps you will have learned?

[hyfe]

Quote:

Originally Posted by W

I'm not saying it's exceptionally stupid. It's a very very common form of stupidity that affects almost everyone. But you still deserve to (and have a right to) pay for your mistakes. Once your account is dry, perhaps you will have learned?

I'm not using IE.

Either way : Lack of knowledge != stupidity. The basic idea of trusting your browser to do simple things like show an url is a good one, because whatever tool you're using you have to trust it to some extenct. And even given the amount of ActiveX etc crapola around, I still think(thought) trusting something as simple as the adress bar to show what site it just requested is a sound decision.

Ofc, you might argue that you'd have to be stupid to not catch up with how crap IE is, but that would just be trolling

[Leshy]

Quote:

Security warning:

You are about to go to an address containing a username.

Username: www.microsoft.com
Server: www.planetarion.com

Are you sure you want to go to this address?

<3 Opera

[Gayle29uk]

Quote:

Originally Posted by Leshy

<3 Opera

Very spangly

[Nodrog]

I think some of you have missed the point... Companies like ebay/paypal etc have for quite some time been telling their customers that due to the large amount of internet 'scam artists', they should only trust a site if it says "www.ebay.com" or "www.paypal.com" in their address bar. This bug allows alternative sites to display this in the address bar if they choose to. Why are the customers to blame for just beliving what they have been continually told to believe?

Theres no stupidity involved here on the part of those who get scammed by this, other than in their choosing to use an archaic bug ridden web-browser when objectively superior alternatives are freely available. The scam itself is hardly their fault - this isnt even remotely comparable to running 'trojan.exe' or whatvever.

[JetLinus]

Small little update: Some problems occur with Mozilla as well, but you got to use %00 (instead of %01). But apparently it's only the status and preview, but not the address bar (still a bug, coz users tend to trust the status bar as well sometimes).

Btw, Microsoft has got a "workaround" (<-- lol). Type this into your address bar:

Code:

javascript:alert("Real URL: " + location.protocol + "//" + location.hostname
+ "/" + "\nGiven URL: " + location.href + "\n"
+ "If the server names do not match, this may be a spoof.");

Quote:

Originally Posted by Leshy

<3 Opera

Oh yeah?
Well, only if you got version 7.23 or greater. Any prior version has another big problem: The "save file" dialog supports relative paths, ie ".\..\.." etc.
When you download a file, Opera creates a temporary file of the format c:\windows\temp\FILXXX.tmp.FILENAME.ext (XXX is a random string).
If you've got a file called AAAAAAAAAA%5C..%5C..%5Ccalc.exe, it would give c:\windows\temp\AAAXXX.tmp.AAAAAAAAAA\..\..\calc.exe and hence overwrite c:\windows\calc.exe.
This can be especially dangerous, when Opera uses certain auto-download functions (e.g. Skins)...

I'm just saying, you know...

[Super]

I remember using this on Nodrog in IRC years ago so he'd visit 'goat-se' :/

comedy gold

[queball]

That Moz thing fools me:
What does your status bar say for this link?

[JetLinus]

Uh.. in IE, statusbar says "www.google.com" only, but the addressbar then contains full linkage.
I guess it's %01 for IE, and %00 for Mozilla then (just as reported).

[Leshy]

Quote:

Originally Posted by JetLinus

This can be especially dangerous, when Opera uses certain auto-download functions (e.g. Skins)

Apparently this was indeed an issue; but only with the Auto-Install feature. And it's already fixed, so I'll happily continue to love Opera.

[Cyp]

What about this one? http://google.com

[W]

Quote:

Originally Posted by Nodrog

I think some of you have missed the point... Companies like ebay/paypal etc have for quite some time been telling their customers that due to the large amount of internet 'scam artists', they should only trust a site if it says "www.ebay.com" or "www.paypal.com" in their address bar. This bug allows alternative sites to display this in the address bar if they choose to. Why are the customers to blame for just beliving what they have been continually told to believe?

Are you saying ebay and paypal are the stupid ones, and that the people that trusted the stupid company isn't?

[flapjack]

yes, because most people think that the big stupid companies know what they're talking about

[Intrepid00]

Clearly a good reason why you should only submit personal infomation over SSL.

[JetLinus]

Lol, you can fake SSL sites and URLs (https) and stuff as well.
That wasn't the point... What's the benefit of encrypted data, if you're talking to the wrong person (server)?