If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

Possible to hide servername in urlbar

VERIFIED DUPLICATE of bug 122445

Status

SeaMonkey
Location Bar
VERIFIED DUPLICATE of bug 122445
14 years ago
9 years ago

People

(Reporter: sicking, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(URL)

This is a UI bug which tend to generate a lot of ranting and spamming. DO NOT DO
THAT OR WE'LL KICK YOU OUT!

There's recently been a bug found in IE where it's possible to cut off part of
the url shown in the url-bar. This opens an exploit where the user is tricked to
go to the url:

http://www.microsoft.com%01@zapthedingbat.com/security/ex01/vun2.htm

where everything after the %01 is hidden. The user thinks he's at
www.microsoft.com and feel safe to download executables or enter sensitive
information such as passwords or creditcard numbers.

See also http://simon.incutio.com/archive/2003/12/09/nastyBug

However, mozilla is vulnerable to this too, though to a lesser extent. If I were
to go to the above url I would most likly think i'm at microsoft. Especially if
it has a bit more obfusaction. And if you don't belave that I would be fooled by
this you better beleave the my mom would. People don't look at the entire url
seaching for a '@' sign, rather you just look at the beginning and feel safe
after that.

I can see two ways of fixing this in mozilla. Either we don't show the username
in the url-bar (i.e. we cut away everything before the @). Or we could put
emphasis on the servername, such as making it bold.
isn't this a dup of bug 122445?

*** This bug has been marked as a duplicate of 122445 ***
Status: NEW → RESOLVED
Last Resolved: 14 years ago
Resolution: --- → DUPLICATE

Comment 3

14 years ago
VERIFIED/dupe
Status: RESOLVED → VERIFIED
Product: Core → SeaMonkey
You need to log in before you can comment on or make changes to this bug.