Simon Willison’s Weblog

Subscribe

Nasty new IE vulnerability

9th December 2003

Most people reading are probably aware of the common trick whereby spammers and other assorted ne’er-do-wells publish URLs with usernames that look like hostnames to fool people in to trusting a malicious site—for example, http://www.microsoft.com&session%123123123@simon.incutio.com. This trick is frequently used by spammers to steal people’s PayPal accounts, by tricking them in to “resetting” their password at a site owned by the spammer but disguised as PayPal.com.

Today’s new Internet Explorer vulnerability makes the problem a hundred times worse. By including an 0x01 character after the @ symbol in the fake URL, IE can be tricked in to not displaying the rest of the URL at all. Don’t expect a patch for a while either; the guy who discovered the bug released it to BugTraq on the same day he notified the vendor.

Posted 9th December 2003 at 7:21 pm · Follow me on Mastodon, Bluesky, Twitter or subscribe to my newsletter

More recent articles

This is Nasty new IE vulnerability by Simon Willison, posted on 9th December 2003.

Next: Implementing filesystems in Python

Previous: YAGNI and DRY

Monthly briefing

Sponsor me for $10/month and get a curated email digest of the month's most important LLM developments.

Pay me to send you less!

Sponsor & subscribe

Previously hosted at http://simon.incutio.com/archive/2003/12/09/nastyBug