RomeoTangoFoxtrotMike
10th Dec 2003, 23:50
According to the discoverers:
There is a a bug in the way that Internet Explorer displays URLs in the address bar.
By opening a specially crafted URL an attacker can open a page that appears to be from a different domain from the current location.
By opening a window using the http://user@domain nomenclature an attacker can hide
the real location of the page by including a 0x01 character after the "@" character.
Internet Explorer doesn't display the rest of the URL making the page appear to be at a different domain.
A benign demonstration can be found at http://www.zapthedingbat.com/security/ex01/vun1.htm
This is particularly relevant (to UK viewers, at least) as there has been a spate of scam emails recently, trying to persuade victims to "log on" to the websites of well-known high street banks, because the user purportedly needs to update/reactivate/other bogus excuse their account. The user is then covertly redirected to the fraudsters site, who promptly harvests the bank details of those who are :mad: enough to put them in... (to be fair, some of the fraudsters sites do appear, on cursory examination, very realistic facsimiles of the genuine sites.)
This bug could, of course, be exploited by any potential scammer to subvert the connections of the unwary.
At present there is no fix from Microsoft. The only available workaround is not to use IE... :uhoh:
"Lets be careful out there..."
There is a a bug in the way that Internet Explorer displays URLs in the address bar.
By opening a specially crafted URL an attacker can open a page that appears to be from a different domain from the current location.
By opening a window using the http://user@domain nomenclature an attacker can hide
the real location of the page by including a 0x01 character after the "@" character.
Internet Explorer doesn't display the rest of the URL making the page appear to be at a different domain.
A benign demonstration can be found at http://www.zapthedingbat.com/security/ex01/vun1.htm
This is particularly relevant (to UK viewers, at least) as there has been a spate of scam emails recently, trying to persuade victims to "log on" to the websites of well-known high street banks, because the user purportedly needs to update/reactivate/other bogus excuse their account. The user is then covertly redirected to the fraudsters site, who promptly harvests the bank details of those who are :mad: enough to put them in... (to be fair, some of the fraudsters sites do appear, on cursory examination, very realistic facsimiles of the genuine sites.)
This bug could, of course, be exploited by any potential scammer to subvert the connections of the unwary.
At present there is no fix from Microsoft. The only available workaround is not to use IE... :uhoh:
"Lets be careful out there..."