Insert link facilitates phishing attacks
Ashish Gupta
ashmew2 at gmail.com
Wed Nov 20 20:36:45 EST 2013
As Mark said, if you just let your browser open the link that is being
shown, the browser will simply open twitter<not a dot>com , which will
ultimately fail with something like a "Please check the URL. Page not
found.".
Wouldn't that take care of the problem automatically ?
- Ashish
On 21 Nov 2013 06:53, "Thijs Alkemade" <thijsalkemade at gmail.com> wrote:
>
> On 21 nov. 2013, at 01:59, Coyo <coyo at darkdna.net> wrote:
>
> > He's got a point. It wouldn't exactly be a breaking change to silently
> change the anchor's target to the link in the description. descriptions
> such as "click here" are legitimate, but if "twitter.com" links to
> something that isn't "twitter.com/intent/follow" or something within the
> same domain, I can't think of any legitimate use cases that would break if
> this were filtered.
>
> Then they can still send “twitter,com”, “twitter ̣com”, “twitter¸com”…
> there are probably hundreds of UTF8 characters that, when not examined
> closely, can be confused for a dot. Or hidden characters that will throw
> off your domain name check. Figuring out what might look like an URL to
> users is not as easy as it might sound.
>
> Thijs
> _______________________________________________
> Devel mailing list
> Devel at pidgin.im
> http://pidgin.im/cgi-bin/mailman/listinfo/devel
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://pidgin.im/pipermail/devel/attachments/20131121/1e0bf029/attachment.html>
More information about the Devel
mailing list