New IE vulnerability – fake URLs

In: Browsers

10 Dec 2003

IE has a new security flaw which will be a major boon to spammers and frauds. This flaw allows spoofing of URLs via the http://user@domain nomenclature. For example, a fraudulent spammer could well direct victims to http://wwww.paypal.com&sessionid%123123123&@blog.codefront.net, but have it show up as http://www.paypal.com&sessionid%123456789 (of course, the fraudulent webpage has to be convincing enough to fool victims into believing they are actually at PayPal!). This works because by including a 0x01 character after the “@” character, IE hides the real location of the page!

To see it in action, fire up IE and check out this demonstration.

Source: Simon Willison

Comments are closed.