Closed Bug 1804628 Opened 2 years ago Closed 1 year ago

False positive from PhishingDetector.jsm for encoded URL (same as link text) with pointless alert : 'The link you just clicked seems to lead to another site... link text... 49.12.10.46, but it leads to 49.12.10.46'

Categories

(Thunderbird :: Message Reader UI, defect)

Thunderbird 102
defect

Tracking

(thunderbird_esr115 wontfix, thunderbird120 affected)

RESOLVED FIXED
121 Branch
Tracking Status
thunderbird_esr115 --- wontfix
thunderbird120 --- affected

People

(Reporter: alexander.peshkoff, Assigned: mkmelin)

Details

Attachments

(1 file)

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0

Steps to reproduce:

Click a link in received (from reliable source) eMail

Actual results:

Strange message:
The link you just clicked seems to lead to another site than what the link text indicated. This is sometimes used for tracking whether you clicked the link, but it could also be a scam.

The link text indicated that the link would lead to 49.12.10.46, but it leads to 49.12.10.46.

With buttons: Go to 49.12.10.46 anyway; Cancel; Go to 49.12.10.46

Expected results:

No such message for same IP

The link is:
http://49.12.10.46/debug_fb50/windows/fbt_show_cross_report.has-some-errors.htm#o13513.16%23

The text is:
http://49.12.10.46/debug_fb50/windows/fbt_show_cross_report.has-some-errors.htm#o13513.16#

Suppose that may happen due to # vs %23 but error text is a little funny :)

Yeah, thanks Alexander, something is wrong here. Maybe not so bad, hopefully rare...

Confirming as described for 102.6.0 (64-bit), Win10 (see screenshot in my next comment).

  • %23 is URL-encoded for #, so the the link text and the link URL from comment 0 are actually fully identical, and this shouldn't trigger a phishing alert at all. I recall from other link issues involving URL encoding that getting this right may nevertheless be non-trivial.
  • The phishing alert is wrong and pointless even if link text and link were different:
    • The difference is at the end of the URL, but it's not shown.
    • The error message claims that the IP 49.12.10.46 is different from 49.12.10.46, which makes no sense. This will come out wrong for a lot of mismatching URLs where the difference is not in the domain.

It doesn't look urgent, but hopefully there are some improvements which could be made to this.

Severity: -- → S3
Status: UNCONFIRMED → NEW
Component: Untriaged → Message Reader UI
Ever confirmed: true
Summary: Wrong message 'The link you just clicked seems to lead to another site' → False positive for encoded URL with pointless alert from PhishingDetector.jsm: 'The link you just clicked seems to lead to another site... link text... 49.12.10.46, but it leads to 49.12.10.46'
Summary: False positive for encoded URL with pointless alert from PhishingDetector.jsm: 'The link you just clicked seems to lead to another site... link text... 49.12.10.46, but it leads to 49.12.10.46' → False positive from PhishingDetector.jsm for encoded URL (same as link text) with pointless alert : 'The link you just clicked seems to lead to another site... link text... 49.12.10.46, but it leads to 49.12.10.46'
Assignee: nobody → mkmelin+mozilla
Status: NEW → ASSIGNED
Attachment #9361418 - Attachment description: Bug 1804628 - Don't show abiguous link warning if hosts actually match but are IPs. r=#thunderbird-reviewers → Bug 1804628 - Don't show ambiguous link warning if hosts actually match but are IPs. r=#thunderbird-reviewers
Target Milestone: --- → 121 Branch

Pushed by mkmelin@iki.fi:
https://hg.mozilla.org/comm-central/rev/c80392fa8d01
Don't show ambiguous link warning if hosts actually match but are IPs. r=freaktechnik

Status: ASSIGNED → RESOLVED
Closed: 1 year ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: