Web Technology - Thin Client Maxed
Interesting URL Bug
A 'feature' of most browsers allow the true address of a site to be obscured from the user by using a carefully crafted URL string. If you click on this link you will note that CNN is now carrying my photo gallery. We all know that they don't have my latest posts on their site, so what's going on?
I was curious how spam email is somehow sending me to what appears to be a legit website (such as the spam emails asking you to reenter credit card info). This started when I was getting emails from PayPal asking me to click on the link to reenter my profile info, including my password. When I clicked on the link, it indeed looked like I was on PayPal's site. Being the suspicious one that I am, and knowing that legit businesses don't ask for confidential info via emails, I closed the browser and checked with PayPal. According to them, the email was bogus.
Research led me to a little known browser standard and how they treat URL's containing special escape characters. When put into a URL string, they do special things, such as ignore any characters that follow - which is how the masquerade works. So, instead of being on a legit site, the true URL (hidden to me) was www.paypal.com[escapecharacters]bogus-site.com - in other words I was at a page on bogus-site.com that simply displayed that it was the PayPal site. (Feeling a little nervous now?)
I won't be any more specific here, but be warned that clicking on an email link to what looks like a legit site might not send you where you think you should be. You have been warned.
Tuesday, December 16, 2003
