Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
Re: IE URL obfuscation
From: Nick FitzGerald (nickVIRUS-L.DEMON.CO.UK)
Date: Thu Dec 11 2003 - 19:22:40 CST
I replied to Russ:
> If we had to worry each time we pushed a couple of slices of bread into
> our toasters that some slimeball on the other side of the planet would
> have untrammelled access to our bank accounts for the duration of the
> toasting process, I suspect we'd all just eat bread (or at least find
> other ways to may toast!) and the "toaster industry" would _DESERVEDLY_
> fail. Computing on the scale and with the breadth of reach and impact
> that we have inflicted on the unwary, and those who are largely not
> sophisticated enough to know what questions to ask, is certainly
> _nowhere near_ the same level of consumer readiness as the domestic
> bench-top toaster. The lie that it is, is largely the responsibility of
> Bill and Co. I think they should start accepting the very real
> responsibility they have, personally, professionally and commercially to
> fix this. Working on, and releasing ASAP, yet another fix for IE would
> show that they _MAY_ be beginning to understand their role in all this
> and that they _MAY_ be starting -- just starting -- to get a clue what
> "Trustworthy computing" might really be all about.
I realized after posting this that a previous post of mine about the
flaws in the URI RFC, from late last week or very early this, in
response to a visa.com phishing scam was _not_ posted to this list.
Despite that I had written my commentary on this with that earlier
message in mind. If Russ does not mind posting this, I'll include the
text of that earlier message (to the Full-Disclosure mailing list) here
so NTBugtraq-ers can see some of the ideas behind what I just wrote,
but did not directly reference therein.
Hopefully this makes my comments in the message Russ just posted a
little more intelligible and perhaps to appear less of a rant...
From: Nick FitzGerald
Subject: Re: [Full-Disclosure] (no subject)
Date: Fri, 05 Dec 2003 15:43:55 -0800
"[EMAIL PROTECTED]" <[EMAIL PROTECTED]> wrote:
> Quite a nifty email scam:
> [EMAIL PROTECTED]/verified_by_visa.html">http://www.visa
> Note the gap, shows only as visa.com in Outlook Express which takes
> you to visa's site and a rather awkward popup window where the data
> is supposed to be filled in.
Indeed -- this is a classic exploit of a classic case of several
_really, really BAD_ design decisions.
First, some genius (or committee thereof) decided that putting
"userinfo" data into URLs would be a good idea. This was decided
despite it generally being agreed -- as the URL RFC authors note _in
the RFC_ -- to be a bad thing from a security perspective...
Second, and perhaps the largest part of the problem was that the
specification for doing this was designed by people with _ABSOLUTELY
ZERO_ clue about user interfaces, as is shown by their decision to put
userinfo data in front of the target domain. Normally users will only
see URLs without userinfo data, so from a UI perspective it was really
bad design to have a "special case" (that would be rarely used and thus
rarely seen by users) "disturb" the expectation of the user (in
general, that is a recipe for problems). Worse is that the userinfo
data field has, by its nature, to allow for completely arbitrary data
(in terms of length and character set).
Third, and increasingly inexcusable, is that no client s/w (that I am
aware of) that deals with such URLs has _ANY_ kind of sanity checking
or user warning that "something unexpected" may be about to happen. I
would hazard that, because of the general agreement that specifying
userinfo data in URLs is a really bad thing, historically "most" URLs
that the have had a userinfo part have had such for nefarious uses.
Thus, I'd suggest that it is time URL-handling routines stopped
handling userinfo data, at least without prompting the user, or better
still, by default be configured to not handle userinfo (which would
make userinfo handling a candidate for zone-by-zone enabling in IE
where, _at most_, it would only make sense to be enabled by default in
the Trusted Sites zone).
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854
Out of Office replies to list messages cause you to be unsubscribed
automatically. Either subscribe a Public Folder, or ensure your rules are
set to ensure list messages are filtered prior to your Out of Office reply.
Such automatic replies are a bane to posters, and cause us to have fewer
researchers post to NTBugtraq.