Closed Bug 263334 Opened 20 years ago Closed 20 years ago

Typing "http;//mozilla.com/" instead of "http://mozilla.com/" returns Microsoft.com

Categories

(Firefox :: Address Bar, defect)

Product:
Firefox
Component:
Address Bar
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
VERIFIED DUPLICATE of bug 231720

People

(Reporter: klubkid, Assigned: bugs)

References

(
URL
)

Details

(Whiteboard: [sg:nse])

User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; rv:1.7.3) Gecko/20040913 Firefox/0.10.1 Build Identifier: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; rv:1.7.3) Gecko/20040913 Firefox/0.10.1 Accidently typing "http;//www.mozilla.com/" instead of "http://www.mozilla.com/" (using a semicolon instead of a colon) returns microsoft.com Reproducible: Always Steps to Reproduce: 1.Type "http;//www.mozilla.com/" into the address bar (remember the semicolon) 2.Press return 3.Shield your eyes Actual Results: The typed address returned Microsoft.com and the address bar retained the text"http;//www.mozilla.org/" Expected Results: Changed the semicolon to a colon for me and changed the address bar text to the current page.
http;//invalid.url also fails over to microsoft... looks like this might be a bug in i'm feeling lucky, or more likely ms has gobbled up the "http" search term or dominates that term... http://www.google.com/search?hl=en&q=http%3B&btnG=Google+Search gets ms at that top of the list we should think about intercepting that one and not pass it to i'm feeling lucky
Flags: blocking-aviary1.0+
This is definitely the "I'm feeling lucky" keyword result. not an exploit, clearing security flag--but of course we still probably want to fix it :-)
Group: security
Status: UNCONFIRMED → NEW
Ever confirmed: true
Whiteboard: [sg:nse]
How? Google-spamming? ;-P
Just to document, this issue was originally reported (and dup reported many times since) in bug 231720 and resolved as invalid.
*** This bug has been marked as a duplicate of 231720 ***
Status: NEW → RESOLVED
Closed: 20 years ago
Resolution: --- → DUPLICATE
Status: RESOLVED → VERIFIED
Flags: blocking-aviary1.0+
Thoughts on a fix: since : and ; share a key (in the US) we can count on it being a pretty common typo. I'm personally not fond of the keyword behavior--a straight Google search page would be less mysterious--but if we're going to keep it we could check for <scheme>; or maybe <scheme>;/ before punting to keywords. At least for the common schemes http(s), ftp, and file.
It is terribly easy to spoof addresses using this scheme.. http://phishing;www.paypall.com/ There is a popup warning for the other exploit with the "@" symbol.. An original search term could be used instead of the word "phishing" as a google search term returning a false website.
In reply to comment 7, your url takes me to http://www.antiphishing.org/, which it pains me to say does not seem to recommend Firefox nor state clearly that Microsoft and Phishing go together like Castor and Pollux. e.g. http://www.google.com/search?q=Microsoft+Phishing+IIS&btnG=Search&hl=en&lr=
Quite clearly the effect of clicking a link like http://phishing;www.paypall.com/ should not be the current but rather a message telling the user that the address could not be found. The reason for that is that if the http-protocol has been specified it should also be used, just as one should not use FTP if the address http://ftp.example.com has been specified. Should the protocol-part be left out however (like phishing;www.paypall.com/) the current behaviour might be correct.
When using a proxy, http://phishing;www.paypall.com/ fails with the Single Word problem: Bug 2875 "Proxy: map HTTP 500 errors to necko errors (so Internet Keywords and Domain Guessing would work)" Performing the "I'm feeling lucky" search on those words by hand today took me to http://weblogs.mozillazine.org/asa/archives/005182.html , which seems to be the right thing. Whilst there may be room for improvement, we seem to be on the right lines.
You need to log in before you can comment on or make changes to this bug.