View Full Version : Internet Explorer flaw allows display of "fake" URLs

Dec 11, 2003, 04:44 PM
Category: Microsoft
Link: Internet Explorer flaw allows display of "fake" URLs (http://www.informationweek.com/story/showArticle.jhtml?articleID=16700218)

Posted on MacBytes.com (http://www.macbytes.com)

Approved by arn

Dec 11, 2003, 04:51 PM
and this is only coming out now?

I have been getting this stuff for years, mainly fake news on CNN.

Wow hah

Dec 11, 2003, 05:26 PM
The URL address used to be the best defense against "fake" URL sites, particularly those trying to get PayPal info. But with this flaw (which I tried and is ridiculously easy to create), that line of defense is gone. Fortunately, only IE for Windows is affected. IE for Mac does not appear to have the same vulnerability. :)

Dec 11, 2003, 06:07 PM
"Microsoft is concerned that this new report of a vulnerability in Internet Explorer was not disclosed responsibly, potentially putting computer users at risk. We continue to encourage responsible disclosure of vulnerabilities," the company said in a statement.

what the f#%k ms, not disclosed responsibly?! fix it you jackasses and you won't have to worry about getting bad press.

Dec 11, 2003, 08:18 PM
Nah, remember most fake scams are like


Yeah that is obvious to spot... this is almost impossible.

I mean for god sake, that is horrible.

Dec 12, 2003, 12:06 AM
Look, for the last several years I would get spam from a CNN like url. Basically the user would download a CNN page, change it to some fake news and send me the www.cnn.com@


If you weren't paying attention, you'd think its real.

Dec 12, 2003, 01:01 PM
But in this case, even if you were paying attention, you'd be misled. You would not see the "@" in the URL in the address or status bar. That's why this is a rather dangerous vulnerability.

Dec 12, 2003, 01:49 PM
There appears to be a lot of misunderstanding about the nature of this vulnerability.

This is a lot more serious than people realize.

For years you've been able to spoof websited by composing a URL like:

http://yourbank.com@<some junk>

But if people go the the URL they will see the @ sign in the url and if you know what's going on realize you've been spoofed.

Taking advantage of this vulnerability, even if you look at the address bar you would see:


So there is no way even a clueful person can tell they are at a spoofed site.

I've tried the example on IE6 on xp and it works as advertised. The address bar says "http://microsoft .com" with nothing else after it, but I am at an example spoofed site.

But you say "Ohh, but when I mouseover the link I can see in that status bar that it's spoofed and know not to click it, right?"

Well the other trick that's being used is to add a lot of spaces to the url, so the spoofed part is off the right edge of the status bar.

So now we have the capability to spoof sites where the only way to tell is view source on the referring page

That is dangerous.