Hasn't this been going on for quite some time? I seem to remember someone in the IRC channel once getting an email that led them to a site that looked very much like it could have been a legit tracking site for some online retailer. It wanted them to varify CC info or something. The link and content looked legit, but it was actually a fake url, iirc.

i too remember seeing several instances of this in the recent past. at least a few times in ebay or paypal scams. it's tough, b/c even if it's not perfect, a majority of computer users may not know enough to know the difference.

Yes, this has been around for quite a while. In a very few cases it can be beneficial, such as if you are using multiple hosts and would like a single name displayed in the address bar, rather than a www4, www3, or mirror1, et cetera.

However it really is used to trick people who don't know to look for the more subtle hints, such as where the URLs in the document refer to. In the end it's all the same - abuse of ignorance. I don't know whether to pity the ignorant and chide the criminals, or cheer on the criminals and chide the ignorant.

And hey, there's always Mozilla.

If I'm reading that statement correctly (and I may not be, as its ambiguous), then it seems to imply that a genuine url could be faked on a non-genuine website (i.e. the displayed url is different to the actual url). Thats a whole new ball game to displaying a similar looking url on a fake site. Whoops ... :blush:

If I understand it correctly, it won't be much different than what v3 and other redirectors are using to give you a single easy url that'll show up in the adresse field..

This is quite handy for smaller companies, who can't afford their own server, or those who move around from one server to another quite often...

So I hope that this exploit won't remove that option in the future, but instead that certain safeguards'll be put in place to hinder people "stealing" an url without the owners permission...

What are we really trying to say?

Well, I am new to the posting scene but I have been following up on industry news and such every since I discovered this site..
Anyway, I don't see this as being a positive thing by any stretch... Think about it, how many more vunerabilities could there possibly be in IE.. it's ridiculous. Anything that will allow for easy paths to misleading innocent users to their ultimate demise should be seen as unacceptable. The only reason they(MS) have been able to get away with this is because there was never an alternative available and thus, allowing them to completely eat up the market.
I say everyone and their mother should boycott Microsoft and use Mozilla or some other browser.. Let them feel the sqeeze.... Oops, I forgot, there's one problem with that, MS has a strangle hold on the industry forcing them to use their software, so for MS to really feel the squeeze, the industry itself will have to turn on Microsoft.
Anyway, that's my piece on this whole thing!

Great site!

Asand4

Spoofed Sites

I have already seen several very convincing e-mails attempting to get me to enter either my Paypal or Ebay credentials. In each case, a web address comprised only of an unresolved IP address confirmed my suspicions of a ruse. If the address can now be faked to actually contain paypal or ebay in the name, it will be a lot harder to figure out these are fakes.

wow. this is a little different:
http://www.microsoft.com
try it and see if you're vulnerable (totally safe)

Good demonstration Krugger, on IE it shows up as http://www.microsoft.com and on Firebird it shows up as

http://www.microsoft.com
@secunia.com/internet_explorer_address_bar_spoofing_test/

..ww.microsoft.com%01%00@secunia.com/internet_explorer_address_bar_spoofing_test..

is this vulnerability fixable with pivx quik-fix?

Thats what I took it to mean as well, which I've seen in several legit sites, especially those that have content spanned over several free hosts.

It does seem that there should be some way of keeping people from spoofing URLs.

Glad to see I wasn't the only one to think along those lines

As for how to keep people from spoofing urls, I doubt there'll be a fool-proof way of doing it, but it shouldn't be too hard to implement some code which makes it much harder than it is today....
Ie. some code would have to be present in the url you're "spoofing" (legaly) that tells the browser to accept the "spoofing" if the site "spoofing" is a) on a list and/or b) has sendt the right parameters...

This would make it much harder to spoof without doing some real hacking...


The reason I doubt we'll be able to keep it spoof-free is that with the right knowledge you can spoof someone's hardware encoded mac adresse, and if that is possible, it will be possible to spoof anything less "secure"...

According to this article in TheInquirer, Mozilla is at least partially vulnerable to this problem also. Also, there's a link to a handy little test, so that you can check your browser to see if it is also vulnerable. I tried this test on MyIE2 and it's vulnerable. Also on Opera, it shows this in the address bar, at the end of the url, "spoofing_test".

as for the people that said this resembled the earlier way you'd seen spoofing done, is it the same thing? i can't remember myself cause i havent seen one in a while. the link i posted was the same as the above article, where it shows only www.microsoft.com in the address bar and status bar, but the actual address is ww.microsoft.com%01%00@secunia.com/internet_explorer_address_bar_spoofing_test/
cause that seems very very dangerous to me. to be able to totally mimic a site's url in both the address bar and status bar with no way to know unless you copy and paste the link itself... that's asking for ripoff bank/CC/paypal-ebay sites that are undetectable to the average users. more so than the fake ones you see now...

Sorry, Krugger, I missed your link.

By the way, when I ran that test, at almost the same moment that the test page loaded, Zone Alarm Pro, shut down my internet access, gave me warning, (don't remember exactly what it said, I had a panic attack, but it said to run a virus scan), and made me restart ZAP to get access again. I don't know if this was caused by the test or some other problem.

no no, i didnt mean to imply anything, i was just sayin if they wanted to see what it looked like, they could examine the link in my post that's all. i don't care about who posted first

Well, not as such no... The other way is to load an invisible frame from the target site, and then the rest from the real server. But doing it that way means that if you bookmark a different page (on the same site) you'll only get to the front page.

But using this (the url) spoofing would make the site look more professional, and still being able to use different/cheaper solution than otherwise possible.

Which is why I hope for a "secure" solution, and not just permanent removal of it.