New IE Bug Hides Real Site Address - Are you vulnerable?

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • quantum-x
    Confirmed User
    • Feb 2002
    • 6863

    #1

    New IE Bug Hides Real Site Address - Are you vulnerable?

    Read about this one.. it's actually pretty nasty!

    It allows people to fake what displays up in the location bar, while the browser points somewhere else...

    TEST here

    Read the advisories here

    I wonder how long it'll take for people to start using https://secure-russian-billing.com :/
    PrettyInCash.com - BoozedGFs.com - TeenGFs.com - JizzGFs.com- MilfUploads.com -
  • quantum-x
    Confirmed User
    • Feb 2002
    • 6863

    #2
    Check the test link above. It links offsite, but the browser even thinks it's going to the spoofed site - and only shows that i the status bar.

    This is more than slghtly nasty!
    PrettyInCash.com - BoozedGFs.com - TeenGFs.com - JizzGFs.com- MilfUploads.com -

    Comment

    • Dirty F
      Too lazy to set a custom title
      • Jul 2001
      • 59204

      #3
      Im safe...

      Using Opera.

      Comment

      •  Smokey The Bear 
        So Fucking Banned
        • Dec 2003
        • 3880

        #4
        What part of " I.E. " in the thread title didnt you get battuss ?

        Comment

        • gornyhuy
          Chafed.
          • May 2002
          • 18041

          #5
          Shit!

          Now how can I make money from this?

          icq:159548293

          Comment

          • Dirty F
            Too lazy to set a custom title
            • Jul 2001
            • 59204

            #6
            Originally posted by  Smokey The Bear 
            What part of " I.E. " in the thread title didnt you get battuss ?
            What part of im safe, im using Opera didnt you get idiot?

            Stop fucking stalking me...youre like shit under my shoe that just wont go.

            Fucking freak.

            Comment

            • 404
              Confirmed abUser
              • Jun 2003
              • 1154

              #7
              holy fuck...
              (b] cheap hmtl programer for hire (/b)

              Comment

              • quantum-x
                Confirmed User
                • Feb 2002
                • 6863

                #8
                Originally posted by Battuss


                What part of im safe, im using Opera didnt you get idiot?

                Stop fucking stalking me...youre like shit under my shoe that just wont go.

                Fucking freak.
                heeere we go :D
                PrettyInCash.com - BoozedGFs.com - TeenGFs.com - JizzGFs.com- MilfUploads.com -

                Comment

                • Lane
                  Will code for food...
                  • Apr 2001
                  • 8496

                  #9
                  Originally posted by gornyhuy
                  Shit!

                  Now how can I make money from this?

                  spam those fake paypal emails, and the address will look real

                  Comment

                  • Lensman
                    GFY Chaperone
                    • Jan 2001
                    • 9846

                    #10
                    Good one.

                    Comment

                    • Mr.Fiction
                      Confirmed User
                      • Feb 2002
                      • 9484

                      #11
                      How long will it take someone to blame Smokey The Bear for this?
                      Don't be lazy, protect free speech: ACLU | Free Speech Coalition | EFF | IMPA

                      Comment

                      • ThunderBalls
                        So Fucking Banned
                        • Oct 2002
                        • 2926

                        #12
                        Originally posted by gornyhuy
                        Shit!

                        Now how can I make money from this?
                        Thats what I was thinking!

                        Comment

                        • ThunderBalls
                          So Fucking Banned
                          • Oct 2002
                          • 2926

                          #13
                          Netscape 7.1 is also vulnerable to this.

                          Comment

                          • 404
                            Confirmed abUser
                            • Jun 2003
                            • 1154

                            #14
                            shit, there don't seem to be any work-arounds yet either, although right-click/properties on the link shows the offending character.

                            i'm guessing the phishers are doing overtime on their fake sites at the moment.
                            (b] cheap hmtl programer for hire (/b)

                            Comment

                            • JSA Matt
                              So Fucking Banned
                              • Aug 2003
                              • 5464

                              #15
                              It doesn't work with sites that redirect / break out of frames.. like cnn.com

                              Nice find though

                              Comment

                              • JSA Matt
                                So Fucking Banned
                                • Aug 2003
                                • 5464

                                #16
                                Originally posted by Lane
                                spam those fake paypal emails, and the address will look real
                                It works with paypal.com too : )

                                Test: <a href="http://www.adult.com%[email protected]/">Adult.com</a>

                                Comment

                                • TheJimmy
                                  ICQ- five seven 0 2 5 5 0
                                  • Jan 2001
                                  • 10747

                                  #17
                                  Originally posted by ThunderBalls
                                  Netscape 7.1 is also vulnerable to this.

                                  I just hit their test link and my NS 7.1 didn't get exploited...

                                  in-ter-esting...


                                  only sounds worthwhile to <><'ers & carders...
                                  Investor with 5m - 15m USD to invest. Do you have a site or network of sites earning 50k - 200k a month income? Email your contact and preliminary data to: domain.cashventures (at) gmail.com....Please...no tire kickers...serious offers and inquiries only.

                                  Comment

                                  • $5 submissions
                                    I help you SUCCEED
                                    • Nov 2003
                                    • 32195

                                    #18
                                    Originally posted by Mr.Fiction
                                    How long will it take someone to blame Smokey The Bear for this?
                                    LOL. Seriously, somebody should hire him as a security expert. Dude's got skillz.

                                    Comment

                                    • gleb
                                      Confirmed User
                                      • Nov 2002
                                      • 311

                                      #19
                                      haha thats cool

                                      now u've made me extra paranoid

                                      Comment

                                      • NoAngel
                                        Confirmed User
                                        • Oct 2003
                                        • 333

                                        #20
                                        More Vuln. of IE

                                        Liu Die Yu - Chinese IT Expert

                                        The place for (No)Angels - Always New Models and Faces
                                        Custom and Exclusive Photo-Video Content
                                        ICQ:335332443

                                        Comment

                                        • fuzebox
                                          making it rain
                                          • Oct 2003
                                          • 22352

                                          #21
                                          So how does it look under IE? I still see the site, but the full URL is shown in the address bar (fakeurl + garbage characters + @real url etc)...

                                          In the status bar I see the fake url + a garbage character.

                                          Does this all look clean and unassuming under IE? Everything after (and including) the garbage character hidden?

                                          If so, nice.

                                          Comment

                                          • funkmaster
                                            So Fucking Banned
                                            • Sep 2001
                                            • 7938

                                            #22
                                            Originally posted by Lane



                                            spam those fake paypal emails, and the address will look real
                                            ... this got me started !!

                                            Comment

                                            • 420
                                              cuck
                                              • Mar 2003
                                              • 11571

                                              #23
                                              looks alot of people are going to get scammed this christmas
                                              <!--BEGIN SIMUTRONICS PLAY BUTTON CODE -->
                                              <p align="center">

                                              <a href="http://buddy.play.net/dr?TMOREAU1">

                                              <img src="drplay.gif" width="128" height="64" alt="Play DragonRealms!"></a></p>

                                              <!--END SIMUTRONICS PLAY BUTTON CODE -->

                                              Comment

                                              • quantum-x
                                                Confirmed User
                                                • Feb 2002
                                                • 6863

                                                #24
                                                Originally posted by fuzebox
                                                So how does it look under IE? I still see the site, but the full URL is shown in the address bar (fakeurl + garbage characters + @real url etc)...

                                                In the status bar I see the fake url + a garbage character.

                                                Does this all look clean and unassuming under IE? Everything after (and including) the garbage character hidden?

                                                If so, nice.


                                                looks coche all the way, even when you move your mouse over the link :/
                                                PrettyInCash.com - BoozedGFs.com - TeenGFs.com - JizzGFs.com- MilfUploads.com -

                                                Comment

                                                • Dildozer
                                                  Confirmed User
                                                  • Jul 2002
                                                  • 7519

                                                  #25
                                                  haha my first thought was also sending someone at goatse.cx
                                                  Spam link here

                                                  Comment

                                                  • quantum-x
                                                    Confirmed User
                                                    • Feb 2002
                                                    • 6863

                                                    #26
                                                    Originally posted by Dildozer
                                                    haha my first thought was also sending someone at goatse.cx
                                                    I think that's a call out for people to make the funniest fake url w/ the ie bug competition :D
                                                    PrettyInCash.com - BoozedGFs.com - TeenGFs.com - JizzGFs.com- MilfUploads.com -

                                                    Comment

                                                    • lEricPl
                                                      Confirmed User
                                                      • Dec 2002
                                                      • 1062

                                                      #27
                                                      It looks like all it does is use a line break to seperate the URL.

                                                      microsoft.com%[email protected]/internet_explorer_address_bar_spoofing_test/

                                                      The URL is basically on 2 lines.

                                                      This does not just effect IE.

                                                      Comment

                                                      • NoAngel
                                                        Confirmed User
                                                        • Oct 2003
                                                        • 333

                                                        #28
                                                        Just check your personal 'ignore list', after a redirect with my IE got some new entries there

                                                        The place for (No)Angels - Always New Models and Faces
                                                        Custom and Exclusive Photo-Video Content
                                                        ICQ:335332443

                                                        Comment

                                                        • Jman69
                                                          Confirmed User
                                                          • Oct 2003
                                                          • 240

                                                          #29
                                                          Sure enough my IE failed the test, with netscape it added a bunch of extra characters to the url.

                                                          Its shit like this that makes me glad netscape is my default browser.
                                                          <a href="http://www.japanmoviepost.com/">
                                                          Japan Movie Post</a> - {Trades Needed}
                                                          ICQ# 328466504

                                                          Comment

                                                          • NoAngel
                                                            Confirmed User
                                                            • Oct 2003
                                                            • 333

                                                            #30
                                                            Originally posted by Jman69
                                                            Sure enough my IE failed the test, with netscape it added a bunch of extra characters to the url.

                                                            Its shit like this that makes me glad netscape is my default browser.
                                                            - thinking about it this moment

                                                            The place for (No)Angels - Always New Models and Faces
                                                            Custom and Exclusive Photo-Video Content
                                                            ICQ:335332443

                                                            Comment

                                                            • quantum-x
                                                              Confirmed User
                                                              • Feb 2002
                                                              • 6863

                                                              #31
                                                              Originally posted by Jman69
                                                              Sure enough my IE failed the test, with netscape it added a bunch of extra characters to the url.

                                                              Its shit like this that makes me glad netscape is my default browser.
                                                              yeah, pity that the 90% of people out thhere don't do the same thing..
                                                              PrettyInCash.com - BoozedGFs.com - TeenGFs.com - JizzGFs.com- MilfUploads.com -

                                                              Comment

                                                              • pamphage
                                                                Confirmed User
                                                                • Jan 2003
                                                                • 3569

                                                                #32
                                                                wow. thats the scariest thing i've seen in awhile. even i might have fallen for it in an email scam or something had they caught me at a bad time.

                                                                well once again ie has proven once again to be the new pioneer into gaping security holes. im suprised this one wasn't found sooner. smokey must have been wasting too much time lurking on gfy ;)
                                                                SIG TOO BIG! Maximum 120x60 button and no more than 3 text lines of DEFAULT SIZE and COLOR.
                                                                Unless your sig is for a GFY top banner sponsor, you may use a 624x80 instead of a 120x60.
                                                                Let me repeat... A 120 x 60 button and no more that 3 lines of DEFAULT SIZE AND COLOR text.

                                                                Comment

                                                                • Swanks
                                                                  Marketing Consultant
                                                                  • May 2003
                                                                  • 811

                                                                  #33
                                                                  Originally posted by Mr.Fiction
                                                                  How long will it take someone to blame Smokey The Bear for this?
                                                                  Originally posted by wiredguy
                                                                  Having haters is a symbol that you've made it in this business
                                                                  WG

                                                                  Comment

                                                                  • pamphage
                                                                    Confirmed User
                                                                    • Jan 2003
                                                                    • 3569

                                                                    #34
                                                                    wow this is fun to freak out your friends and family. you can tell them you are a l33t haxx0r and you took over yahoo.com

                                                                    <a href="http://www.yahoo.com%[email protected]/">Yahoo</a>
                                                                    SIG TOO BIG! Maximum 120x60 button and no more than 3 text lines of DEFAULT SIZE and COLOR.
                                                                    Unless your sig is for a GFY top banner sponsor, you may use a 624x80 instead of a 120x60.
                                                                    Let me repeat... A 120 x 60 button and no more that 3 lines of DEFAULT SIZE AND COLOR text.

                                                                    Comment

                                                                    • rowan
                                                                      Too lazy to set a custom title
                                                                      • Mar 2002
                                                                      • 17393

                                                                      #35
                                                                      I notice that google's toolbar shows the PR for the fake URL, rather than the actual site it's loading. I guess this will happen with most plugins coded in C, since it will see the %00 as a string terminator.

                                                                      Comment

                                                                      • Bigjohn
                                                                        Confirmed User
                                                                        • Feb 2003
                                                                        • 1118

                                                                        #36
                                                                        I typically do a view source to veryfiy any link that wants me to enter personal info. Guess my paranoia is finally paying off

                                                                        Comment

                                                                        • Theo
                                                                          HAL 9000
                                                                          • May 2001
                                                                          • 34515

                                                                          #37
                                                                          Originally posted by JSA Matt


                                                                          It works with paypal.com too : )

                                                                          Test: <a href="http://www.adult.com%[email protected]/">Adult.com</a>

                                                                          Alex bought adult.com



                                                                          isn't it crazy that after all these years nobody had noticed this bug?

                                                                          Comment

                                                                          • Why
                                                                            MFBA
                                                                            • Mar 2003
                                                                            • 7230

                                                                            #38
                                                                            this exploit has been around for many many years and is not going anywhere, its for hahahahahading usernames and passwords into URLS.

                                                                            Comment

                                                                            • JulianSosa
                                                                              Confirmed User
                                                                              • Aug 2003
                                                                              • 3042

                                                                              #39
                                                                              Originally posted by Why
                                                                              this exploit has been around for many many years and is not going anywhere, its for hahahahahading usernames and passwords into URLS.
                                                                              Wrong.


                                                                              But why the hell did some one post this

                                                                              Comment

                                                                              • TurboTrucker
                                                                                Confirmed User
                                                                                • Jan 2003
                                                                                • 2363

                                                                                #40
                                                                                Very interesting

                                                                                <a href="http://www.flowersandsunshine.com%[email protected]/">flowersandsunshine.com</a>

                                                                                Comment

                                                                                • Why
                                                                                  MFBA
                                                                                  • Mar 2003
                                                                                  • 7230

                                                                                  #41
                                                                                  Originally posted by JulianSosa


                                                                                  Wrong.


                                                                                  But why the hell did some one post this
                                                                                  go read the RFC;s

                                                                                  Comment

                                                                                  • quantum-x
                                                                                    Confirmed User
                                                                                    • Feb 2002
                                                                                    • 6863

                                                                                    #42
                                                                                    Cos I thougth It was interesting and pertinent to us.

                                                                                    re: beign around for years.. i think you're confusing it with:

                                                                                    https://www.microsoft.com/legitimate...tml@obfuscated

                                                                                    which of course sends the first part as the username and is ignored.

                                                                                    This one is similar, except the real url is totally hidden, in the link, the status bar and the url bar.

                                                                                    same idea, a little bit trickier.
                                                                                    PrettyInCash.com - BoozedGFs.com - TeenGFs.com - JizzGFs.com- MilfUploads.com -

                                                                                    Comment

                                                                                    •  Smokey The Bear 
                                                                                      So Fucking Banned
                                                                                      • Dec 2003
                                                                                      • 3880

                                                                                      #43
                                                                                      Originally posted by Mr.Fiction
                                                                                      How long will it take someone to blame Smokey The Bear for this?
                                                                                      Smokey did it. LOL Damn bastard.

                                                                                      9/11 smokeys fault.
                                                                                      teen pregnancy smokeys fault.

                                                                                      Comment

                                                                                      • Why
                                                                                        MFBA
                                                                                        • Mar 2003
                                                                                        • 7230

                                                                                        #44
                                                                                        Originally posted by quantum-x
                                                                                        Cos I thougth It was interesting and pertinent to us.

                                                                                        re: beign around for years.. i think you're confusing it with:

                                                                                        https://www.microsoft.com/legitimate...tml@obfuscated

                                                                                        which of course sends the first part as the username and is ignored.

                                                                                        This one is similar, except the real url is totally hidden, in the link, the status bar and the url bar.

                                                                                        same idea, a little bit trickier.
                                                                                        ok, im using opera, and a patched version of IE apparently, cause it showed right url for me.

                                                                                        Comment

                                                                                        • quantum-x
                                                                                          Confirmed User
                                                                                          • Feb 2002
                                                                                          • 6863

                                                                                          #45
                                                                                          Originally posted by Why
                                                                                          ok, im using opera, and a patched version of IE apparently, cause it showed right url for me.
                                                                                          For anyone who doubts the implications of this


                                                                                          http://www.epassport.com

                                                                                          Go there and login.
                                                                                          Last edited by quantum-x; 12-11-2003, 11:45 PM.
                                                                                          PrettyInCash.com - BoozedGFs.com - TeenGFs.com - JizzGFs.com- MilfUploads.com -

                                                                                          Comment

                                                                                          • quantum-x
                                                                                            Confirmed User
                                                                                            • Feb 2002
                                                                                            • 6863

                                                                                            #46
                                                                                            Fuck!

                                                                                            I just noticed this fools google PR too.

                                                                                            damn, this goes deeper than i thought... it REALLY looks legit now.
                                                                                            PrettyInCash.com - BoozedGFs.com - TeenGFs.com - JizzGFs.com- MilfUploads.com -

                                                                                            Comment

                                                                                            •  Smokey The Bear 
                                                                                              So Fucking Banned
                                                                                              • Dec 2003
                                                                                              • 3880

                                                                                              #47
                                                                                              Originally posted by quantum-x


                                                                                              For anyone who doubts the implications of this


                                                                                              http://www.epassport.com

                                                                                              Go there and login.
                                                                                              heh nice demo

                                                                                              Comment

                                                                                              • quantum-x
                                                                                                Confirmed User
                                                                                                • Feb 2002
                                                                                                • 6863

                                                                                                #48
                                                                                                wee i jsut won a tshirt for this :D
                                                                                                PrettyInCash.com - BoozedGFs.com - TeenGFs.com - JizzGFs.com- MilfUploads.com -

                                                                                                Comment

                                                                                                • Matt 26z
                                                                                                  So Fucking Banned
                                                                                                  • Apr 2002
                                                                                                  • 18481

                                                                                                  #49
                                                                                                  I got hit with it 6 to 8 months ago.

                                                                                                  My address bar would say msn.com, but the search page included links to porn and casino's. That seemed kind of odd.

                                                                                                  Comment

                                                                                                  • OAEN
                                                                                                    Confirmed User
                                                                                                    • Nov 2003
                                                                                                    • 124

                                                                                                    #50
                                                                                                    The possiblities with blind clicks are endless...
                                                                                                    <-- I do not recommend anything that might be under my name. It's a sellout by GFY.

                                                                                                    Comment

                                                                                                    Working...