Internet Explorer flaw allows display of "fake" URLs

Discussion in ' News Discussion' started by MacBytes, Dec 11, 2003.

  1. macrumors bot

    Jul 5, 2003
  2. macrumors newbie

    Jul 16, 2003
    and this is only coming out now?

    I have been getting this stuff for years, mainly fake news on CNN.

    Wow hah
  3. macrumors regular

    Sep 23, 2003
    Greater Los Angeles Area
    The URL address used to be the best defense against "fake" URL sites, particularly those trying to get PayPal info. But with this flaw (which I tried and is ridiculously easy to create), that line of defense is gone. Fortunately, only IE for Windows is affected. IE for Mac does not appear to have the same vulnerability. :)
  4. macrumors 6502a


    Nov 26, 2002
    sunny san diego
    "Microsoft is concerned that this new report of a vulnerability in Internet Explorer was not disclosed responsibly, potentially putting computer users at risk. We continue to encourage responsible disclosure of vulnerabilities," the company said in a statement.

    what the f#%k ms, not disclosed responsibly?! fix it you jackasses and you won't have to worry about getting bad press.
  5. macrumors 604


    Jul 4, 2001
    1 Block away from NYC.
    Nah, remember most fake scams are like

    Yeah that is obvious to spot... this is almost impossible.

    I mean for god sake, that is horrible.
  6. macrumors newbie

    Jul 16, 2003
    Look, for the last several years I would get spam from a CNN like url. Basically the user would download a CNN page, change it to some fake news and send me the


    If you weren't paying attention, you'd think its real.
  7. macrumors regular

    Sep 23, 2003
    Greater Los Angeles Area
    But in this case, even if you were paying attention, you'd be misled. You would not see the "@" in the URL in the address or status bar. That's why this is a rather dangerous vulnerability.
  8. macrumors 65816


    Oct 19, 2003
    There appears to be a lot of misunderstanding about the nature of this vulnerability.

    This is a lot more serious than people realize.

    For years you've been able to spoof websited by composing a URL like:<some junk>

    But if people go the the URL they will see the @ sign in the url and if you know what's going on realize you've been spoofed.

    Taking advantage of this vulnerability, even if you look at the address bar you would see:

    So there is no way even a clueful person can tell they are at a spoofed site.

    I've tried the example on IE6 on xp and it works as advertised. The address bar says "http://microsoft .com" with nothing else after it, but I am at an example spoofed site.

    But you say "Ohh, but when I mouseover the link I can see in that status bar that it's spoofed and know not to click it, right?"

    Well the other trick that's being used is to add a lot of spaces to the url, so the spoofed part is off the right edge of the status bar.

    So now we have the capability to spoof sites where the only way to tell is view source on the referring page

    That is dangerous.

Share This Page