Flaw in DNS

[Delete]

I saw this on DNF and thought it was really funny. The gus says I hate google so I hacked them check out the site http://www.google.com (Google didn't really get hacked) You can mask any domain lol. I think I will do one for Yahoo!

 

[slipondajimmy]

thats good ..lol

 

[Tekim]

How do you do that?

 

[Whisper]

That's not really the best thing ever... In fact, it's an Internet Explorer security bug discovered some days ago.

Check out the URL: http://www.google.com%00@google-sucks.org. Did you see it? That is like accessing the google-sucks.org domain with the www.google.com username (that's like FTP, you have ftp://username:[email protected]/folder/) but, thanks to the mentioned bug (well, simply add that special symbol before the @), Internet Explorer doesn't see it right and only shows www.google.com.

That can be really a serious problem (think of PayPal scam mails with links made so...), that is why Microsoft has already been informed; they hopefully will fix this in a short time.

 

[Kodeking]

Thats actually really cool how that works. I wonder who thought of that

 

[dnslife]

pretty cool! I can think of a lot of uses for that.

 

[armstrong]

Not cool at all, as this could be exploited for fraudulent activities.

 

[Matt]

Indeed. Unlike those trusty 419'ers...lol

I think it's more of a "visual" floor than anything else.

Matt

 

[holeinone]

Originally posted by armstrong
Not cool at all, as this could be exploited for fraudulent activities.

SECOND THAT.

 

[Anthony]

Originally posted by Whisper
That's not really the best thing ever... In fact, it's an Internet Explorer security bug discovered some days ago.

Check out the URL: http://www.google.com%00@google-sucks.org. Did you see it? That is like accessing the google-sucks.org domain with the www.google.com username (that's like FTP, you have ftp://username:[email protected]/folder/) but, thanks to the mentioned bug (well, simply add that special symbol before the @), Internet Explorer doesn't see it right and only shows www.google.com.

That can be really a serious problem (think of PayPal scam mails with links made so...), that is why Microsoft has already been informed; they hopefully will fix this in a short time.

I don't know -- it didn't work when I tried it. If it works on other domains, then it can be very very bad. Another M$ bug

 

[armstrong]

It does work on any domain. There's just something slightly off wrong with Whisper's coding.

 

[Anthony]

Originally posted by armstrong
It does work on any domain. There's just something slightly off wrong with Whisper's coding.

I guess that's a good thing, although I assume the actual coding isn't too difficult to figure out...

 

[armstrong]

Delete has it right in his link. There's no use hiding this info, as its too easy and too exploitable. Be very wary about clicking links on emails and websites you don't trust.

The flaw doesn't work as well in Netscape, which displays the real url (complete with the additional characters), but it still forwards to the fake domain. In IE, none of the extra characters display at all.

 

[Anthony]

Originally posted by armstrong
Delete has it right in his link. There's no use hiding this info, as its too easy and too exploitable. Be very wary about clicking links on emails and websites you don't trust.

The flaw doesn't work as well in Netscape, which displays the real url (complete with the additional characters), but it still forwards to the fake domain. In IE, none of the extra characters display at all.

Good advice, as always, Armstrong. I am still having fun with this at my friends expense, all in good fun of course.