And the latest web browser vulnerability. This one…

And the latest web browser vulnerability. This one is a major problem on IE, a slight problem on Gecko browsers, and reportedly not an issue on Opera. It’s a new trick that makes an old trick harder to detect.

The “@ URL” trick has been around for a while. You can log into a website with http://username:password@www.something.com/. The trick involves creating a URL for your site that had a username consisting of what appeared to be a good domain name. For example, http://www.microsoft.com@www.invisibill.net/. This will take you to http://www.invisibill.net/ as user www.microsoft.com. Generally people would use character encoding (see NATATA Anti-Spam in my software section) to create a really long URL. Users would only see or understand the first part, www.microsoft.com. Opera has a neat method that warns a user when they click on a URL like this, and Bugzilla already has talk of adding a similar feature to the Mozilla browsers.

This is where the new vulnerability comes in. %01 is one of these encoded characters. It’s a special character that causes the browser to think it’s the end of what should be displayed. Like the above example, http://www.microsoft.com%01@www.invisibill.net/ will send you to http://www.invisibill.net/ as user www.microsoft.com%01. However, the %01 cuts off the browser display. Rather than relying on the fact that most people won’t notice or at least won’t understand everything after the first part of the URL, scammers can now completely hide the rest of the URL. In Mozilla, only the status bar is affected by this; the mouseover URL will be cut off. In IE, the status bar and the Address bar will both be cut off. If you click the Test button below in IE, you will see this page in your browser window, but the Address bar will still show http://www.microsoft.com.

Note that my domain’s URL forwarding puts the actual site into a frame with an unchanging URL showing. Use http://s87708598.onlinehome.us/ to access it without the URL forwarding stuff.

With this trick, and clever mouseovers and link names, even pros could be fooled, due to all the redirects that now result in a much longer URL than you originally used. This trick could make it much easier for scammers running copies of popular websites (in order to get you to submit information like passwords or credit card numbers) to fool people into believing it’s the legitmate site. Be extremely careful until this is fixed, and hand-type URLs just to be sure if you have to. Rather than following a link in an email to verify your information with some site, open your browser and type in the URL. It’s the best way to be 100% sure you aren’t being tricked into going somewhere else.

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: This post is over 5 years old. You may want to check later in this blog to see if there is new information relevant to your comment.