Closed Bug 284780 Opened 20 years ago Closed 20 years ago

spoofing possibility - silently adding .com / example: www.sat1de open www.sat1de.com not www.sat1.de

Categories

(Firefox :: Address Bar, defect)

Product:
Firefox
Component:
Address Bar
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: bestellung, Assigned: bugs)

References

(
URL
)

Details

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.6) Gecko/20050225 Firefox/1.0.1
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.6) Gecko/20050225 Firefox/1.0.1

www.sat1de open www.sat1de.com not www.sat1.de

could be used for spoofing bank accounts or other stuff:
for example:
www.postbankde opens www.postbankde.com which could be a spoofed site!




Reproducible: Always

Steps to Reproduce:
1.enter www.satde
2. opens website www.sat1de.com but says only: www.satde

Actual Results:  
-

Expected Results:  
imho the best behaviour is to show: error, incorrect adress

a workaround maybe: show www.sat1de.com in the Adressbar after autocorrecting it
 

-
Summary: spoofing possibility- silently adding .com www.sat1de open www.sat1de.com not www.sat1.de → spoofing possibility - silently adding .com / example: www.sat1de open www.sat1de.com not www.sat1.de
Shouldn't be confidential, known behavior (intended even). This is probably
invalid, typo-squatters are a long-time internet fact of life and this is just
another form of that.

There might be an l10n case to be made that localizations be allowed to change
the completion prefix to their own ccTLD or turn off the .com feature. CC'ing
Pike and bsmedberg -- please invalidate or confirm.
Group: security
Localized versions already have the ability to change the completion suffix.
Status: UNCONFIRMED → RESOLVED
Closed: 20 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.