New IE Bug Hides Real Site Address - Are you vulnerable? - GoFuckYourself.com

quantum-x · 12-11-2003, 04:10 PM

Read about this one.. it's actually pretty nasty!

It allows people to fake what displays up in the location bar, while the browser points somewhere else...

TEST here

Read the advisories here

I wonder how long it'll take for people to start using https://secure-russian-billing.com :/

quantum-x · 12-11-2003, 04:12 PM

Check the test link above. It links offsite, but the browser even thinks it's going to the spoofed site - and only shows that i the status bar.

This is more than slghtly nasty!

Dirty F · 12-11-2003, 04:13 PM

Im safe...

Using Opera.

Smokey The Bear · 12-11-2003, 04:24 PM

What part of " I.E. " in the thread title didnt you get battuss ?

gornyhuy · 12-11-2003, 04:30 PM

Shit!

Now how can I make money from this?

Dirty F · 12-11-2003, 04:32 PM

Quote:

Originally posted by *Smokey The Bear*
What part of " I.E. " in the thread title didnt you get battuss ?

What part of im safe, im using Opera didnt you get idiot?

Stop fucking stalking me...youre like shit under my shoe that just wont go.

Fucking freak.

404 · 12-11-2003, 04:45 PM

holy fuck...

quantum-x · 12-11-2003, 04:46 PM

Quote:

Originally posted by Battuss

What part of im safe, im using Opera didnt you get idiot?

Stop fucking stalking me...youre like shit under my shoe that just wont go.

Fucking freak.

heeere we go :D

Lane · 12-11-2003, 05:30 PM

Quote:

Originally posted by gornyhuy
Shit!

Now how can I make money from this?

spam those fake paypal emails, and the address will look real

Lensman · 12-11-2003, 05:33 PM

Good one.

Mr.Fiction · 12-11-2003, 05:34 PM

How long will it take someone to blame Smokey The Bear for this?

ThunderBalls · 12-11-2003, 05:38 PM

Quote:

Originally posted by gornyhuy
Shit!

Now how can I make money from this?

Thats what I was thinking!

ThunderBalls · 12-11-2003, 05:40 PM

Netscape 7.1 is also vulnerable to this.

404 · 12-11-2003, 05:58 PM

shit, there don't seem to be any work-arounds yet either, although right-click/properties on the link shows the offending character.

i'm guessing the phishers are doing overtime on their fake sites at the moment.

JSA Matt · 12-11-2003, 06:03 PM

It doesn't work with sites that redirect / break out of frames.. like cnn.com

Nice find though

JSA Matt · 12-11-2003, 06:04 PM

Quote:

Originally posted by Lane
spam those fake paypal emails, and the address will look real

It works with paypal.com too : )

Test: <a href="http://www.adult.com%[email protected]/">Adult.com</a>

TheJimmy · 12-11-2003, 06:05 PM

Quote:

Originally posted by ThunderBalls
Netscape 7.1 is also vulnerable to this.

I just hit their test link and my NS 7.1 didn't get exploited...

in-ter-esting...

only sounds worthwhile to <><'ers & carders...

$5 submissions · 12-11-2003, 06:09 PM

Quote:

Originally posted by Mr.Fiction
How long will it take someone to blame Smokey The Bear for this?

LOL. Seriously, somebody should hire him as a security expert. Dude's got skillz.

gleb · 12-11-2003, 06:12 PM

haha thats cool

now u've made me extra paranoid

NoAngel · 12-11-2003, 06:14 PM

More Vuln. of IE

Liu Die Yu - Chinese IT Expert

fuzebox · 12-11-2003, 06:25 PM

So how does it look under IE? I still see the site, but the full URL is shown in the address bar (fakeurl + garbage characters + @real url etc)...

In the status bar I see the fake url + a garbage character.

Does this all look clean and unassuming under IE? Everything after (and including) the garbage character hidden?

If so, nice.

funkmaster · 12-11-2003, 06:33 PM

Quote:

Originally posted by Lane

spam those fake paypal emails, and the address will look real

... this got me started !!

420 · 12-11-2003, 06:50 PM

looks alot of people are going to get scammed this christmas

quantum-x · 12-11-2003, 06:53 PM

Quote:

Originally posted by fuzebox
So how does it look under IE? I still see the site, but the full URL is shown in the address bar (fakeurl + garbage characters + @real url etc)...

In the status bar I see the fake url + a garbage character.

Does this all look clean and unassuming under IE? Everything after (and including) the garbage character hidden?

If so, nice.

looks coche all the way, even when you move your mouse over the link :/

Dildozer · 12-11-2003, 06:57 PM

haha my first thought was also sending someone at goatse.cx

quantum-x · 12-11-2003, 06:59 PM

Quote:

Originally posted by Dildozer
haha my first thought was also sending someone at goatse.cx

I think that's a call out for people to make the funniest fake url w/ the ie bug competition :D

lEricPl · 12-11-2003, 07:10 PM

It looks like all it does is use a line break to seperate the URL.

microsoft.com%[email protected]/internet_explorer_address_bar_spoofing_test/

The URL is basically on 2 lines.

This does not just effect IE.

NoAngel · 12-11-2003, 07:17 PM

Just check your personal 'ignore list', after a redirect with my IE got some new entries there

Jman69 · 12-11-2003, 07:25 PM

Sure enough my IE failed the test, with netscape it added a bunch of extra characters to the url.

Its shit like this that makes me glad netscape is my default browser.

NoAngel · 12-11-2003, 07:26 PM

Quote:

Originally posted by Jman69
Sure enough my IE failed the test, with netscape it added a bunch of extra characters to the url.

Its shit like this that makes me glad netscape is my default browser.

- thinking about it this moment

quantum-x · 12-11-2003, 07:43 PM

Quote:

Originally posted by Jman69
Sure enough my IE failed the test, with netscape it added a bunch of extra characters to the url.

Its shit like this that makes me glad netscape is my default browser.

yeah, pity that the 90% of people out thhere don't do the same thing..

pamphage · 12-11-2003, 08:28 PM

wow. thats the scariest thing i've seen in awhile. even i might have fallen for it in an email scam or something had they caught me at a bad time.

well once again ie has proven once again to be the new pioneer into gaping security holes. im suprised this one wasn't found sooner. smokey must have been wasting too much time lurking on gfy ;)

Swanks · 12-11-2003, 08:31 PM

Quote:

Originally posted by Mr.Fiction
How long will it take someone to blame Smokey The Bear for this?

pamphage · 12-11-2003, 08:39 PM

wow this is fun to freak out your friends and family. you can tell them you are a l33t haxx0r and you took over yahoo.com

<a href="http://www.yahoo.com%[email protected]/">Yahoo</a>

rowan · 12-12-2003, 12:35 AM

I notice that google's toolbar shows the PR for the fake URL, rather than the actual site it's loading. I guess this will happen with most plugins coded in C, since it will see the %00 as a string terminator.

Bigjohn · 12-12-2003, 12:45 AM

I typically do a view source to veryfiy any link that wants me to enter personal info. Guess my paranoia is finally paying off

Theo · 12-12-2003, 12:51 AM

Quote:

Originally posted by JSA Matt

It works with paypal.com too : )

Test: <a href="http://www.adult.com%[email protected]/">Adult.com</a>

Alex bought adult.com

isn't it crazy that after all these years nobody had noticed this bug?

Why · 12-12-2003, 12:52 AM

this exploit has been around for many many years and is not going anywhere, its for hahahahahading usernames and passwords into URLS.

JulianSosa · 12-12-2003, 12:56 AM

Quote:

Originally posted by Why
this exploit has been around for many many years and is not going anywhere, its for hahahahahading usernames and passwords into URLS.

Wrong.

But why the hell did some one post this

TurboTrucker · 12-12-2003, 01:05 AM

Very interesting

<a href="http://www.flowersandsunshine.com%[email protected]/">flowersandsunshine.com</a>

Why · 12-12-2003, 01:08 AM

Quote:

Originally posted by JulianSosa

Wrong.

But why the hell did some one post this

go read the RFC;s

quantum-x · 12-12-2003, 01:12 AM

Cos I thougth It was interesting and pertinent to us.

re: beign around for years.. i think you're confusing it with:

www.microsoft.com/legitimate/url.html@obfuscated

which of course sends the first part as the username and is ignored.

This one is similar, except the real url is totally hidden, in the link, the status bar and the url bar.

same idea, a little bit trickier.

Smokey The Bear · 12-12-2003, 01:21 AM

Quote:

Originally posted by Mr.Fiction
How long will it take someone to blame Smokey The Bear for this?

Smokey did it. LOL Damn bastard.

9/11 smokeys fault.
teen pregnancy smokeys fault.

Why · 12-12-2003, 01:26 AM

Quote:

Originally posted by quantum-x
Cos I thougth It was interesting and pertinent to us.

re: beign around for years.. i think you're confusing it with:

www.microsoft.com/legitimate/url.html@obfuscated

which of course sends the first part as the username and is ignored.

This one is similar, except the real url is totally hidden, in the link, the status bar and the url bar.

same idea, a little bit trickier.

ok, im using opera, and a patched version of IE apparently, cause it showed right url for me.

quantum-x · 12-12-2003, 01:40 AM

Quote:

Originally posted by Why
ok, im using opera, and a patched version of IE apparently, cause it showed right url for me.

For anyone who doubts the implications of this

http://www.epassport.com

Go there and login.

quantum-x · 12-12-2003, 01:44 AM

Fuck!

I just noticed this fools google PR too.

damn, this goes deeper than i thought... it REALLY looks legit now.

Smokey The Bear · 12-12-2003, 01:51 AM

Quote:

Originally posted by quantum-x

For anyone who doubts the implications of this

http://www.epassport.com

Go there and login.

heh nice demo

quantum-x · 12-13-2003, 06:01 PM

wee i jsut won a tshirt for this :D

Matt 26z · 12-13-2003, 06:19 PM

I got hit with it 6 to 8 months ago.

My address bar would say msn.com, but the search page included links to porn and casino's. That seemed kind of odd.

OAEN · 12-13-2003, 08:07 PM

The possiblities with blind clicks are endless...

12-11-2003, 04:10 PM	#1
quantum-x Confirmed User Join Date: Feb 2002 Location: ICQ: 251425 Fr/Au/Ca Posts: 6,863	New IE Bug Hides Real Site Address - Are you vulnerable? Read about this one.. it's actually pretty nasty! It allows people to fake what displays up in the location bar, while the browser points somewhere else... TEST here Read the advisories here I wonder how long it'll take for people to start using https://secure-russian-billing.com :/

12-11-2003, 04:30 PM	#5
gornyhuy Chafed. Join Date: May 2002 Location: Face Down in Pussy Posts: 18,041	Shit! Now how can I make money from this? __________________ icq:159548293

12-11-2003, 04:45 PM	#7
404 Confirmed abUser Industry Role: Join Date: Jun 2003 Location: Internet Explorer cannot display the webpage Posts: 1,154	holy fuck... __________________ (b] cheap hmtl programer for hire (/b)

12-11-2003, 05:58 PM	#14
404 Confirmed abUser Industry Role: Join Date: Jun 2003 Location: Internet Explorer cannot display the webpage Posts: 1,154	shit, there don't seem to be any work-arounds yet either, although right-click/properties on the link shows the offending character. i'm guessing the phishers are doing overtime on their fake sites at the moment. __________________ (b] cheap hmtl programer for hire (/b)

12-11-2003, 06:14 PM	#20
NoAngel Confirmed User Join Date: Oct 2003 Location: Czech Republic Posts: 333	More Vuln. of IE Liu Die Yu - Chinese IT Expert __________________ The place for (No)Angels - Always New Models and Faces Custom and Exclusive Photo-Video Content ICQ:335332443

12-11-2003, 04:12 PM	#2
quantum-x Confirmed User Join Date: Feb 2002 Location: ICQ: 251425 Fr/Au/Ca Posts: 6,863	Check the test link above. It links offsite, but the browser even thinks it's going to the spoofed site - and only shows that i the status bar. This is more than slghtly nasty!

12-11-2003, 04:13 PM	#3
Dirty F Too lazy to set a custom title Industry Role: Join Date: Jul 2001 Posts: 59,204	Im safe... Using Opera.

12-11-2003, 04:24 PM	#4
Smokey The Bear So Fucking Banned Join Date: Dec 2003 Location: South Of Heaven™ Posts: 3,880	What part of " I.E. " in the thread title didnt you get battuss ?

12-11-2003, 05:33 PM	#10
Lensman GFY Chaperone Join Date: Jan 2001 Location: Adult.com Posts: 9,846	Good one.

12-11-2003, 05:34 PM	#11
Mr.Fiction Confirmed User Join Date: Feb 2002 Location: Free Speech Land Posts: 9,484	How long will it take someone to blame Smokey The Bear for this?

12-11-2003, 05:40 PM	#13
ThunderBalls So Fucking Banned Industry Role: Join Date: Oct 2002 Location: Mesosphere Posts: 2,926	Netscape 7.1 is also vulnerable to this.

12-11-2003, 06:03 PM	#15
JSA Matt So Fucking Banned Join Date: Aug 2003 Location: San Diego, CA Posts: 5,464	It doesn't work with sites that redirect / break out of frames.. like cnn.com Nice find though

12-11-2003, 06:12 PM	#19
gleb Confirmed User Join Date: Nov 2002 Location: NY Posts: 311	haha thats cool now u've made me extra paranoid

12-11-2003, 06:25 PM	#21
fuzebox making it rain Industry Role: Join Date: Oct 2003 Location: seattle Posts: 22,114	So how does it look under IE? I still see the site, but the full URL is shown in the address bar (fakeurl + garbage characters + @real url etc)... In the status bar I see the fake url + a garbage character. Does this all look clean and unassuming under IE? Everything after (and including) the garbage character hidden? If so, nice.

12-11-2003, 06:50 PM	#23
420 cuck Industry Role: Join Date: Mar 2003 Posts: 11,571	looks alot of people are going to get scammed this christmas

12-11-2003, 06:57 PM	#25
Dildozer Confirmed User Join Date: Jul 2002 Location: Montreal Posts: 7,519	haha my first thought was also sending someone at goatse.cx __________________ Spam link here

12-11-2003, 07:10 PM	#27
lEricPl Confirmed User Join Date: Dec 2002 Location: FL Posts: 1,062	It looks like all it does is use a line break to seperate the URL. microsoft.com%[email protected]/internet_explorer_address_bar_spoofing_test/ The URL is basically on 2 lines. This does not just effect IE.

12-11-2003, 07:17 PM	#28
NoAngel Confirmed User Join Date: Oct 2003 Location: Czech Republic Posts: 333	Just check your personal 'ignore list', after a redirect with my IE got some new entries there __________________ The place for (No)Angels - Always New Models and Faces Custom and Exclusive Photo-Video Content ICQ:335332443

12-11-2003, 07:25 PM	#29
Jman69 Confirmed User Join Date: Nov 2003 Location: Canada Posts: 240	Sure enough my IE failed the test, with netscape it added a bunch of extra characters to the url. Its shit like this that makes me glad netscape is my default browser.

12-11-2003, 08:28 PM	#32
pamphage Confirmed User Join Date: Jan 2003 Location: Hollywood, CA Posts: 3,569	wow. thats the scariest thing i've seen in awhile. even i might have fallen for it in an email scam or something had they caught me at a bad time. well once again ie has proven once again to be the new pioneer into gaping security holes. im suprised this one wasn't found sooner. smokey must have been wasting too much time lurking on gfy ;) __________________ SIG TOO BIG! Maximum 120x60 button and no more than 3 text lines of DEFAULT SIZE and COLOR. Unless your sig is for a GFY top banner sponsor, you may use a 624x80 instead of a 120x60. Let me repeat... A 120 x 60 button and no more that 3 lines of DEFAULT SIZE AND COLOR text.

12-11-2003, 08:39 PM	#34
pamphage Confirmed User Join Date: Jan 2003 Location: Hollywood, CA Posts: 3,569	wow this is fun to freak out your friends and family. you can tell them you are a l33t haxx0r and you took over yahoo.com <a href="http://www.yahoo.com%[email protected]/">Yahoo</a> __________________ SIG TOO BIG! Maximum 120x60 button and no more than 3 text lines of DEFAULT SIZE and COLOR. Unless your sig is for a GFY top banner sponsor, you may use a 624x80 instead of a 120x60. Let me repeat... A 120 x 60 button and no more that 3 lines of DEFAULT SIZE AND COLOR text.

12-12-2003, 12:35 AM	#35
rowan Too lazy to set a custom title Join Date: Mar 2002 Location: Australia Posts: 17,393	I notice that google's toolbar shows the PR for the fake URL, rather than the actual site it's loading. I guess this will happen with most plugins coded in C, since it will see the %00 as a string terminator.

12-12-2003, 12:45 AM	#36
Bigjohn Confirmed User Join Date: Feb 2003 Location: Deep inside my mind Posts: 1,118	I typically do a view source to veryfiy any link that wants me to enter personal info. Guess my paranoia is finally paying off

12-12-2003, 12:52 AM	#38
Why MFBA Industry Role: Join Date: Mar 2003 Location: PNW Posts: 7,230	this exploit has been around for many many years and is not going anywhere, its for hahahahahading usernames and passwords into URLS.

12-12-2003, 01:05 AM	#40
TurboTrucker Confirmed User Join Date: Jan 2003 Location: Phoenix Arizona Posts: 2,363	Very interesting <a href="http://www.flowersandsunshine.com%[email protected]/">flowersandsunshine.com</a> __________________

12-12-2003, 01:12 AM	#42
quantum-x Confirmed User Join Date: Feb 2002 Location: ICQ: 251425 Fr/Au/Ca Posts: 6,863	Cos I thougth It was interesting and pertinent to us. re: beign around for years.. i think you're confusing it with: www.microsoft.com/legitimate/url.html@obfuscated which of course sends the first part as the username and is ignored. This one is similar, except the real url is totally hidden, in the link, the status bar and the url bar. same idea, a little bit trickier.

12-12-2003, 01:44 AM	#46
quantum-x Confirmed User Join Date: Feb 2002 Location: ICQ: 251425 Fr/Au/Ca Posts: 6,863	Fuck! I just noticed this fools google PR too. damn, this goes deeper than i thought... it REALLY looks legit now.

12-13-2003, 06:01 PM	#48
quantum-x Confirmed User Join Date: Feb 2002 Location: ICQ: 251425 Fr/Au/Ca Posts: 6,863	wee i jsut won a tshirt for this :D

12-13-2003, 06:19 PM	#49
Matt 26z So Fucking Banned Industry Role: Join Date: Apr 2002 Location: ¤ª"˜¨๑۩۞۩๑¨˜"ª¤ Posts: 18,481	I got hit with it 6 to 8 months ago. My address bar would say msn.com, but the search page included links to porn and casino's. That seemed kind of odd.

12-13-2003, 08:07 PM	#50
OAEN Confirmed User Join Date: Nov 2003 Location: Omnipresent Posts: 124	The possiblities with blind clicks are endless... __________________ <-- I do not recommend anything that might be under my name. It's a sellout by GFY.