Closed Bug 233467 Opened 21 years ago Closed 21 years ago

@ (At) Sign In URL (Web Address) Should Invoke Alert

Categories

(Core :: Security, enhancement)

x86
Windows 98
enhancement
Not set
normal

Tracking

()

VERIFIED DUPLICATE of bug 122445

People

(Reporter: qwoir, Assigned: security-bugs)

Details

User-Agent: Build Identifier: (Mozilla 1.6, which is not the browser being used to submit this report.) The following is a realistic security concern that should be addressed: A popular exploit these days is to send an email purporting to be from a trustworthy entity, e.g. ebay.com, asking for funds. The URL linked in the text is very long, starting with the name of the entity, e.g. "www.ebay.com". However, buried in the cryptic parameter list is an "@" sign which redirects the requests to a rogue IP. There should be an option, initially set to enabled, which causes a security alert to pop up in the event that such a URL is requested for fetching, especially if it is entered in the browser bar, as opposed to embedded somewhere in the page. Granted, it might become a nuisance if email addresses (which contain "@"s) are frequently passed in URLs. So a checkbox for "Don't warn me again" would be useful, and also some help text in the same dialog which tells the user where, in the labyrinth of preferences, he can reenable the alert if desired in the future. (Perhaps some good AI could differentiate between an email address passed as a parameter and a true redirect. I doubt it, though.) Reproducible: Always Steps to Reproduce: 1. Type in "http://www.ebay.com@www.ibm.com". 2. 3. Actual Results: IBM comes up, as expected. I might as well have entered "www.mybank.com@www.somehacker.com". Expected Results: Hopefully, altered me for being so dumb as to fall for this trick. Grandma Bessie does not know what "@" does, and needs to be warned.
*** This bug has been marked as a duplicate of 122445 ***
Group: security
Status: UNCONFIRMED → RESOLVED
Closed: 21 years ago
Resolution: --- → DUPLICATE
V/dupe.
Status: RESOLVED → VERIFIED
QA Contact: benc
You need to log in before you can comment on or make changes to this bug.