@ (At) Sign In URL (Web Address) Should Invoke Alert

VERIFIED DUPLICATE of bug 122445

Status

()

Core
Security
--
enhancement
VERIFIED DUPLICATE of bug 122445
15 years ago
14 years ago

People

(Reporter: Lawrence Worth, Assigned: Mitchell Stoltz (not reading bugmail))

Tracking

Trunk
x86
Windows 98
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

15 years ago
User-Agent:       
Build Identifier: (Mozilla 1.6, which is not the browser being used to submit this report.)

The following is a realistic security concern that should be addressed:  A
popular exploit these days is to send an email purporting to be from a
trustworthy entity, e.g. ebay.com, asking for funds.  The URL linked in the text
is very long, starting with the name of the entity, e.g. "www.ebay.com". 
However, buried in the cryptic parameter list is an "@" sign which redirects the
requests to a rogue IP.  There should be an option, initially set to enabled,
which causes a security alert to pop up in the event that such a URL is
requested for fetching, especially if it is entered in the browser bar, as
opposed to embedded somewhere in the page.  Granted, it might become a nuisance
if email addresses (which contain "@"s) are frequently passed in URLs.  So a
checkbox for "Don't warn me again" would be useful, and also some help text in
the same dialog which tells the user where, in the labyrinth of preferences, he
can reenable the alert if desired in the future.  (Perhaps some good AI could
differentiate between an email address passed as a parameter and a true
redirect.  I doubt it, though.)



Reproducible: Always
Steps to Reproduce:
1. Type in "http://www.ebay.com@www.ibm.com".
2. 
3.

Actual Results:  
IBM comes up, as expected.  I might as well have entered
"www.mybank.com@www.somehacker.com".

Expected Results:  
Hopefully, altered me for being so dumb as to fall for this trick.  Grandma
Bessie does not know what "@" does, and needs to be warned.

*** This bug has been marked as a duplicate of 122445 ***
Group: security
Status: UNCONFIRMED → RESOLVED
Last Resolved: 15 years ago
Resolution: --- → DUPLICATE

Comment 2

14 years ago
V/dupe.
Status: RESOLVED → VERIFIED
QA Contact: benc
You need to log in before you can comment on or make changes to this bug.