393759 - Status bar shows hex IP URL in status bar for scam message (should translate back to numerical IP)

Status: NEW

(Thunderbird :: Security, defect)

Description

[Carlos Maziero]

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-BR; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6
Build Identifier: version 2.0.0.6 (20070728)

I recvd a scam message with the following content (excerpt from the msg source): 

<TD vAlign=bottom><FONT face="verdana, sans-serif" color=#666666 size=1><STRONG></STRONG><BR>Your registered name is included to show this message originated from eBay. <A href="http://3589680378/~contact/ws/signin.ebay.com/www.ebay.com/eBayISAPI.dllSignIn&pUserIdco/" target=_blank rel=nofollow _><FONT color=#003399>Learn more</FONT></A>.</FONT></TD>

The IP address in the URL link (3589680378) seems not to be valid, but TB shows it as-is in the status bar (http://3589680378/~contact/...). When I click on the link, it prevents me with the message "Are you shure you want to visit 213.246.44.250?"

The status bar should have presented the correct IP (213.246.44.250), and not "3589680378". Btw, 3589680378 in decimal is D5F62CFA in hexa, and D5.F6.2C.FA corresponds to 213.246.44.250 in decimal. So, scammers are using hexa IP addresses to disguise the information shown in the status bar.


Reproducible: Always

Steps to Reproduce:
1. send yourself a message containing a link to http://3589680378/
2. receive the message on Thunderbird
3. put your mouse over the link in the message and observe the status bar
4. click on the link and observe the warning message

Actual Results:  
IP addresses used in scam messages are presented in the status bar in a "scrambled way", in order to hide the actual address from the user.


Expected Results:  
The TB status bar should have presented the IP address in the standard form "http://213.246.44.250/~contact/...", instead of "http://3589680378/~contact/...".

Comment 1

[Magnus Melin [:mkmelin]]

I'm not sure I agree it's a bug, the "correct" url is shown, just not in a very normal way. Even a novice user probably would think the url looked odd - making it harder to scam them...

Comment 2

[Carlos Maziero]

Yes, maybe it's not a bug. However, it would be better for users to have the same URL presented in all dialogs. So, the warning message should also contains "Are you shure you want to visit 3589680378?"...

IMHO, it would be more meaningful for users to have the dotted IP address in all messages generated by TB.

Comment 3

[rsx11m]

If the IP address was presented in the traditional dot-format, it would be easier to look up the "owner" of that address (e.g., in a whois directory) to verify its origin. Those usually don't support queries for decimal or hexadecimal addresses (at least not ARIN). In either way, numerical addresses should always raise suspicion for being potentially harmful.

Comment 4

[rsx11m]

Attachment: For comparison: SeaMonkey dialog

A couple of interesting observations:

(1) As shown in the attached image, SeaMonkey (1.1.x branch and 2.0a1pre trunk) indeed does the conversion of integer addresses to the numerical IP notation for the given example when presenting this dialog. Thus, such a functionality - if not provided by Thunderbird already - could be obtained from that code.

(2) With the same e-mail, I was however unable to reproduce this on either Thunderbird 2.0.0.x branch nor 3.0b1pre trunk on Linux or Windows, even with a fairly new profile, thus not quite sure what's going on and why the scam message is not popping up.

Due to (2), I can't confirm this bug even though I'd like to, given that the normalized representation is much more intuitive and easier to track using current whois interfaces (e.g., who knows that 2130706433 actually represents the 127.0.0.1 loopback address?).

Can somebody reproduce this on the nightly builds in the same way?

Comment 5

[rsx11m]

Oops (and that's a very big one!)... now that I just posted the last comment, I've noticed that the dialog box isn't the issue here but the status bar before the link is clicked on:

> The IP address in the URL link (3589680378) seems not to be valid, but TB shows
> it as-is in the status bar (http://3589680378/~contact/...). When I click on
> the link, it prevents me with the message "Are you shure you want to visit
> 213.246.44.250?"

Thus in that case, both applications behave identical (just have to figure out why the scam notification didn't work when testing with Thunderbird). So, the question is whether the presentation of the IP address after clicking the link is sufficient as a warning, or if a somewhat more visible warning should be given before clicking the link, which still might be a good idea to have.

Sorry for being sleepy here. :-)

Comment 6

[Ludovic Hirlimann [:Usul]]

rsx11M : do you have a tescase lying somewhere that you could attach here ?

Comment 7

[rsx11m]

Attachment: Minimum test case

Sure, though a test case is given already in the original description.
This link resolves to 127.0.0.1 localhost as server, thus is benign.

Again, it works for me on SeaMonkey 2.0.2pre, but not Win32 Thunderbird 3.0 (regardless of "Tell me if the message I'm reading is a suspected email scam" setting, no warning is issued and the message directly opened in the browser).

Comment 8

[rsx11m]

Comment on attachment 418182 [details]
Minimum test case

Note that the scam warning won't pop up in SM's browser, you'll have to open this message from a mailbox.

Comment 9

[Ludovic Hirlimann [:Usul]]

(In reply to comment #7)
> Created an attachment (id=418182) [details]
> Minimum test case
> 
> Sure, though a test case is given already in the original description.
> This link resolves to 127.0.0.1 localhost as server, thus is benign.

And on Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1.5) Gecko/20091204 Thunderbird/3.0 it's not even resolved as 127.0.0.1