Simon Willison’s Weblog

Subscribe

Nasty new IE vulnerability

9th December 2003

Most people reading are probably aware of the common trick whereby spammers and other assorted ne’er-do-wells publish URLs with usernames that look like hostnames to fool people in to trusting a malicious site—for example, http://www.microsoft.com&session%123123123@simon.incutio.com. This trick is frequently used by spammers to steal people’s PayPal accounts, by tricking them in to “resetting” their password at a site owned by the spammer but disguised as PayPal.com.

Today’s new Internet Explorer vulnerability makes the problem a hundred times worse. By including an 0x01 character after the @ symbol in the fake URL, IE can be tricked in to not displaying the rest of the URL at all. Don’t expect a patch for a while either; the guy who discovered the bug released it to BugTraq on the same day he notified the vendor.

This is Nasty new IE vulnerability by Simon Willison, posted on 9th December 2003.

Next: Implementing filesystems in Python

Previous: YAGNI and DRY

Previously hosted at http://simon.incutio.com/archive/2003/12/09/nastyBug