wrong url displayed in location bar, open to abuse by phishers

VERIFIED DUPLICATE of bug 264610

Status

()

Firefox
Address Bar
VERIFIED DUPLICATE of bug 264610
13 years ago
13 years ago

People

(Reporter: Geoff Latham, Assigned: Ben Goodger (use ben at mozilla dot org for email))

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(URL)

(Reporter)

Description

13 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.7.6) Gecko/20050317 Firefox/1.0.2
Build Identifier: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.7.6) Gecko/20050317 Firefox/1.0.2

typing www.intel or www.amd into the address bar will take you to the respective
.com site but display the the url as www.intel or www.and

this could be open to abuse for phishing scams in the case of domains with names
the same as TLDs such as www.int.com

www.int doesn't exist so firefox helpfully tries other TLDs added to the url. it
finds www.int.com and loads it but doesn't update the location bar.

I presume that if the www.int.com had a subdomain of, say, "unitednations" then
using unitednations.int would result in firefox directing you to
unitednations.int.com but displaying "unitednations.int" making it look like a
genuine international organisation.

Reproducible: Always

Steps to Reproduce:
1. enter url as www.int or http://www.int
2. hit return
Actual Results:  
www.int.com index page is loaded but www.int is displayed in location bar

Expected Results:  
url in address bar should be updated to reflect the actual address of the site
you are visiting.

after seeing the "Internationalized Domain Name (IDN) homograph spoofing" bug
listed under security fixes I decided to check the "Security" tickbox on this
form. apologies in advance if I was wrong to do so.
*** Bug 287812 has been marked as a duplicate of this bug. ***

*** This bug has been marked as a duplicate of 264610 ***
Group: security
Status: UNCONFIRMED → RESOLVED
Last Resolved: 13 years ago
Resolution: --- → DUPLICATE
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.