PDA

View Full Version : Internet Explorer flaw allows display of "fake" URLs


MacBytes
Dec 11, 2003, 04:44 PM
Category: Microsoft
Link: Internet Explorer flaw allows display of "fake" URLs (http://www.informationweek.com/story/showArticle.jhtml?articleID=16700218)

Posted on MacBytes.com (http://www.macbytes.com)

Approved by arn

mrl14
Dec 11, 2003, 04:51 PM
and this is only coming out now?

I have been getting this stuff for years, mainly fake news on CNN.

Wow hah

ALoLA
Dec 11, 2003, 05:26 PM
The URL address used to be the best defense against "fake" URL sites, particularly those trying to get PayPal info. But with this flaw (which I tried and is ridiculously easy to create), that line of defense is gone. Fortunately, only IE for Windows is affected. IE for Mac does not appear to have the same vulnerability. :)

mrsebastian
Dec 11, 2003, 06:07 PM
"Microsoft is concerned that this new report of a vulnerability in Internet Explorer was not disclosed responsibly, potentially putting computer users at risk. We continue to encourage responsible disclosure of vulnerabilities," the company said in a statement.

what the f#%k ms, not disclosed responsibly?! fix it you jackasses and you won't have to worry about getting bad press.

MrMacMan
Dec 11, 2003, 08:18 PM
Nah, remember most fake scams are like

http:xxx.xxx.xxx.xxx@ebay.com

Yeah that is obvious to spot... this is almost impossible.

I mean for god sake, that is horrible.

mrl14
Dec 12, 2003, 12:06 AM
Look, for the last several years I would get spam from a CNN like url. Basically the user would download a CNN page, change it to some fake news and send me the www.cnn.com@1.1.1.1/news/index.html

etc.

If you weren't paying attention, you'd think its real.

ALoLA
Dec 12, 2003, 01:01 PM
But in this case, even if you were paying attention, you'd be misled. You would not see the "@1.1.1.1/news/index.html" in the URL in the address or status bar. That's why this is a rather dangerous vulnerability.

stcanard
Dec 12, 2003, 01:49 PM
There appears to be a lot of misunderstanding about the nature of this vulnerability.

This is a lot more serious than people realize.

For years you've been able to spoof websited by composing a URL like:

http://yourbank.com@<some junk>

But if people go the the URL they will see the @ sign in the url and if you know what's going on realize you've been spoofed.

Taking advantage of this vulnerability, even if you look at the address bar you would see:

http://yourbank.com

So there is no way even a clueful person can tell they are at a spoofed site.

I've tried the example on IE6 on xp and it works as advertised. The address bar says "http://microsoft .com" with nothing else after it, but I am at an example spoofed site.

But you say "Ohh, but when I mouseover the link I can see in that status bar that it's spoofed and know not to click it, right?"

Well the other trick that's being used is to add a lot of spaces to the url, so the spoofed part is off the right edge of the status bar.

So now we have the capability to spoof sites where the only way to tell is view source on the referring page

That is dangerous.