URL spoofing flaw could be used in bank scams

Tuesday, December 16, 2003

This seems to be a serious flaw in IE, discovered by a graphic designer, and it's very simple to implement.

Check this page to have a demo on the effect in IE. So scary !

So by typing http://www.microsoft.com @zapthedingbat.com/security/ex01/vun2.htm Internet Explorer show only the first part before the @ and display in the address bar http://www.microsoft.com .

Why? Note the special non printing character included before the @.

Imagine a spammer who want to redirect some gullible users to a fictuous bank, something like asking account details !

Easy, the scam can go very far as duplicating website. I think MSFT should release a very quick answer to this. Remind me the 'old' $Data flaw in IIS 4 few years ago.

More details here or you can read the Microsoft KB here

3 Comments

My mom and sister have been using PayPal to send each other money recently. I've been worried my mom might be tricked into giving credit card details on a PayPal spoofed site. Someone could easily spam out to millions of people spoofing Amazon.com saying they need to reverify credit card data for the order to be processed in time for christmas. Looks like amazon.com, says amazon.com. I'd say 1% of people that receive that e-mail have placed a christmas order, and if only 10% of all users fall for it (although I think it would be much higher), someone has done some serious damage...

I think I might go over to mom's house and install Mozilla and just erase all links to IE for my mom.

Phil Scott - Tuesday, December 16, 2003 1:46:00 PM

Yes it surely a good idea. 10% could be a substantial amount of money.

Damn the spammers !

Paschal - Tuesday, December 16, 2003 1:48:00 PM

Just a note, but at least this doesn't work with the version of Mozilla I'm using. Of course, the percentage of people using IE is pretty high so....

Lavos - Thursday, December 18, 2003 5:44:00 PM

Comments have been disabled for this content.