IE bug lets fake sites look real

By on December 10, 2003, 7:42 PM
Microsoft on Tuesday said it was looking into reports of a potential bug in its Web browser that could help malicious hackers design convincing Web site spoofs.

The bug, according to security alerts by a bug hunter and a Danish security company, Secunia, could let hackers use a technique to display a false Web address on a fake site.

Read more: [URL=http://news.com.com/2100-7355_3-5119440.html?tag=nefd_top]CNet News[/URL].




User Comments: 19

Got something to say? Post a comment
StormBringer said:
Hasn't this been going on for quite some time? I seem to remember someone in the IRC channel once getting an email that led them to a site that looked very much like it could have been a legit tracking site for some online retailer. It wanted them to varify CC info or something. The link and content looked legit, but it was actually a fake url, iirc.
Krugger said:
i too remember seeing several instances of this in the recent past. at least a few times in ebay or paypal scams. it's tough, b/c even if it's not perfect, a majority of computer users may not know enough to know the difference.
Soul Harvester said:
Yes, this has been around for quite a while. In a very few cases it can be beneficial, such as if you are using multiple hosts and would like a single name displayed in the address bar, rather than a www4, www3, or mirror1, et cetera.However it really is used to trick people who don't know to look for the more subtle hints, such as where the URLs in the document refer to. In the end it's all the same - abuse of ignorance. I don't know whether to pity the ignorant and chide the criminals, or cheer on the criminals and chide the ignorant. And hey, there's always [url=http://www.mozilla.org]Mozilla[/url].
poertner_1274 said:
Yes, as always the best defense against this sort of thing is a keen awareness. If you pay attention to what you are doing, instead of just clicking, clicking, clicking then you probably won't have to worry about these sort of things.Just be smart, plain and simple
Nic said:
[quote][i]Originally posted by Julio [/i]The bug, according to security alerts by a bug hunter and a Danish security company, Secunia, could let hackers use a technique to display a [b]false Web address[/b] on a fake site.[/quote]If I'm reading that statement correctly (and I may not be, as its ambiguous), then it seems to imply that a genuine url could be faked on a non-genuine website (i.e. the displayed url is different to the actual url). Thats a whole new ball game to displaying a similar looking url on a fake site. Whoops ... :blush:
MrGaribaldi said:
If I understand it correctly, it won't be much different than what v3 and other redirectors are using to give you a single easy url that'll show up in the adresse field..This is quite handy for smaller companies, who can't afford their own server, or those who move around from one server to another quite often... So I hope that this exploit won't remove that option in the future, but instead that certain safeguards'll be put in place to hinder people "stealing" an url without the owners permission...
asand4 said:
Well, I am new to the posting scene but I have been following up on industry news and such every since I discovered this site..Anyway, I don't see this as being a positive thing by any stretch... Think about it, how many more vunerabilities could there possibly be in IE.. it's ridiculous. Anything that will allow for easy paths to misleading innocent users to their ultimate demise should be seen as unacceptable. The only reason they(MS) have been able to get away with this is because there was never an alternative available and thus, allowing them to completely eat up the market. I say everyone and their mother should boycott Microsoft and use Mozilla or some other browser.. Let them feel the sqeeze.... Oops, I forgot, there's one problem with that, MS has a strangle hold on the industry forcing them to use their software, so for MS to really feel the squeeze, the industry itself will have to turn on Microsoft.Anyway, that's my piece on this whole thing!Great site!Asand4
Tom Ferguson said:
I have already seen several very convincing e-mails attempting to get me to enter either my Paypal or Ebay credentials. In each case, a web address comprised only of an unresolved IP address confirmed my suspicions of a ruse. If the address can now be faked to actually contain paypal or ebay in the name, it will be a lot harder to figure out these are fakes.
Krugger said:
wow. this is a little different:[URL=http://www.microsoft.com%00@secunia.com/inte
net_explorer_address_bar_spoofing_test/]http://www.microso
t.com[/URL]try it and see if you're vulnerable (totally safe)
poertner_1274 said:
Looks like my browser is OK :D Opera rules.
Tarkus said:
Good demonstration Krugger, on IE it shows up as [url]http://www.microsoft.com[/url] and on Firebird it shows up as [url]http://www.microsoft.com%01%00@secunia.com/internet_exp
orer_address_bar_spoofing_test/[/url]..ww.microsoft.com%01
00@secunia.com/internet_explorer_address_bar_spoofing_test
.
BrownPaper said:
is this vulnerability fixable with pivx quik-fix?
StormBringer said:
[quote][i]Originally posted by MrGaribaldi [/i]If I understand it correctly, it won't be much different than what v3 and other redirectors are using to give you a single easy url that'll show up in the adresse field..This is quite handy for smaller companies, who can't afford their own server, or those who move around from one server to another quite often... So I hope that this exploit won't remove that option in the future, but instead that certain safeguards'll be put in place to hinder people "stealing" an url without the owners permission... [/quote] Thats what I took it to mean as well, which I've seen in several legit sites, especially those that have content spanned over several free hosts.It does seem that there should be some way of keeping people from spoofing URLs.
MrGaribaldi said:
[quote][i]Originally posted by StormBringer [/i]Thats what I took it to mean as well, which I've seen in several legit sites, especially those that have content spanned over several free hosts.It does seem that there should be some way of keeping people from spoofing URLs. [/quote] Glad to see I wasn't the only one to think along those lines :)As for how to keep people from spoofing urls, I doubt there'll be a fool-proof way of doing it, but it shouldn't be too hard to implement some code which makes it much harder than it is today....Ie. some code would have to be present in the url you're "spoofing" (legaly) that tells the browser to accept the "spoofing" if the site "spoofing" is a) on a list and/or b) has sendt the right parameters...This would make it much harder to spoof without doing some real hacking...The reason I doubt we'll be able to keep it spoof-free is that with the right knowledge you can spoof someone's hardware encoded mac adresse, and if that is possible, it will be possible to spoof anything less "secure"...
olefarte said:
According to [url=http://www.theinquirer.net/?article=13158]this article[/url] in TheInquirer, Mozilla is at least partially vulnerable to this problem also. Also, there's a link to a handy little test, so that you can check your browser to see if it is also vulnerable. I tried this test on MyIE2 and it's vulnerable. Also on Opera, it shows this in the address bar, at the end of the url, "spoofing_test".[quote]THE BUG WE REPORTED earlier this week that allows people to spoof fake URL addresses, also partly affects Mozilla, according to Secunia today. And there's a further vulnerability in Internet Explorer, Secunia claims. This allows the bottom left, status bar of a browser to be manipulated as well as the address bar, so that you're more likely to think a forged site is real.Secunia said that Mozilla is partly vulnerable to this problem, as you can read [url=http://www.mozillazine.org/talkback.html?article=4078]h
re.[/url]Secunia told the INQ this morning that it has devised a test to demonstrate the bug, which you can find [url=http://www.secunia.com/internet_explorer_address_bar_sp
ofing_test/]here[/url], and has also revised its bulletin to describe these additional problems, [url=http://secunia.com/advisories/10395/]here.[/url][/quote
Krugger said:
[quote][i]Originally posted by olefarte [/i]According to [url=http://www.theinquirer.net/?article=13158]this article[/url] in TheInquirer, Mozilla is at least partially vulnerable to this problem also. Also, there's a link to a handy little test, so that you can check your browser to see if it is also vulnerable. [/quote] as for the people that said this resembled the earlier way you'd seen spoofing done, is it the same thing? i can't remember myself cause i havent seen one in a while. the link i posted was the same as the above article, where it shows only [url]www.microsoft.com[/url] in the address bar and status bar, but the actual address is ww.microsoft.com%01%00@secunia.com/internet_explorer_address
bar_spoofing_test/cause that seems very very dangerous to me. to be able to totally mimic a site's url in both the address bar and status bar with no way to know unless you copy and paste the link itself... that's asking for ripoff bank/CC/paypal-ebay sites that are undetectable to the average users. more so than the fake ones you see now...
olefarte said:
[quote]the link i posted was the same as the above article[/quote] Sorry, Krugger, I missed your link.By the way, when I ran that test, at almost the same moment that the test page loaded, Zone Alarm Pro, shut down my internet access, gave me warning, (don't remember exactly what it said, I had a panic attack, but it said to run a virus scan), and made me restart ZAP to get access again. I don't know if this was caused by the test or some other problem.
Krugger said:
no no, i didnt mean to imply anything, i was just sayin if they wanted to see what it looked like, they could examine the link in my post that's all. i don't care about who posted first :)
MrGaribaldi said:
[quote][i]Originally posted by Krugger [/i]as for the people that said this resembled the earlier way you'd seen spoofing done, is it the same thing? i can't remember myself cause i havent seen one in a while. [/quote] Well, not as such no... The other way is to load an invisible frame from the target site, and then the rest from the real server. But doing it that way means that if you bookmark a different page (on the same site) you'll only get to the front page. But using this (the url) spoofing would make the site look more professional, and still being able to use different/cheaper solution than otherwise possible.Which is why I hope for a "secure" solution, and not just permanent removal of it.
Load all comments...

Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.