379721 - Phishing warning, found an easy way to hide a fake url

Status: RESOLVED DUPLICATE of bug 304905

(Firefox :: Security, defect)

Description

[Maciej Baron]

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; pl; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; pl; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3

This is my first time to post a bug, so I may do some things wrong.

Anyway, I found an easy way to hide a fake url in a address.
Check out the example: http://venatios.pl/bug.htm
The link looks fine, when you move the mouse cursor over the link you can see in the status bar 'http://firefox.com', so it looks 'real'. But in fact, the link is http://%c2%8cfirefox.com/. However, the domain name is incorrect, but you can hide other addresses, like http://en.wikipedia.org/wiki/%c2%8cFirefox. What is interesting, at wikipedia the header will be shown as Firefox.
I don't know if this is serious, but maybe firefox should output the url in the statusbar with the %c2%8c or other special characters?

Reproducible: Always

Steps to Reproduce:
1.Create link with some special character, like %c2%8c
2.The link in the status bar will be shown without the character
Actual Results:  
The link at the status bar is fake.

Comment 1

[Steve England [:stevee]]

With my 2.0.0.4pre build I see the status bar display "http://firefox.com" but with trunk it displays "http://  firefox.com"

(Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.9a5pre) Gecko/20070504 Minefield/3.0a5pre ID:2007050405 [cairo])

Comment 2

[Steve England [:stevee]]

Attachment: testcase from reporter's URL

Comment 3

[Maciej Baron]

However, let's talk about the wikipedia case:
It is possible to create fake sites on wikipedia like http://en.wikipedia.org/wiki/User:%c2%8cSomething or http://en.wikipedia.org/wiki/Wikipedia:%c2%8cAbout. The status bar shows the fake link and even the header is the same. Only the url is different (if noticed).