Insert link facilitates phishing attacks

Eion Robb eion at robbmob.com
Wed Nov 20 21:05:20 EST 2013 

Thats not really friendly to IDN links which legitimately have UTF8
characters in the url (via punycode)


On 21 November 2013 15:03, Ashish Gupta <ashmew2 at gmail.com> wrote:

> Probably a helpful post click message box will help the situation,
>
> "The link you are trying to open contains characters that are neither
> alphanumeric nor one of [ "-", "." ...] . Should I still proceed?"
>
> - Ashish
> On 21 Nov 2013 07:06, "Ashish Gupta" <ashmew2 at gmail.com> wrote:
>
>> As Mark said,  if you just let your browser open the link that is being
>> shown, the browser will simply open twitter<not a dot>com , which will
>> ultimately fail with something like a "Please check the URL. Page not
>> found.".
>>
>> Wouldn't that take care of the problem automatically ?
>>
>> - Ashish
>> On 21 Nov 2013 06:53, "Thijs Alkemade" <thijsalkemade at gmail.com> wrote:
>>
>>>
>>> On 21 nov. 2013, at 01:59, Coyo <coyo at darkdna.net> wrote:
>>>
>>> > He's got a point. It wouldn't exactly be a breaking change to silently
>>> change the anchor's target to the link in the description. descriptions
>>> such as "click here" are legitimate, but if "twitter.com" links to
>>> something that isn't "twitter.com/intent/follow" or something within
>>> the same domain, I can't think of any legitimate use cases that would break
>>> if this were filtered.
>>>
>>> Then they can still send “twitter,com”, “twitter ̣com”, “twitter¸com”…
>>> there are probably hundreds of UTF8 characters that, when not examined
>>> closely, can be confused for a dot. Or hidden characters that will throw
>>> off your domain name check. Figuring out what might look like an URL to
>>> users is not as easy as it might sound.
>>>
>>> Thijs
>>> _______________________________________________
>>> Devel mailing list
>>> Devel at pidgin.im
>>> http://pidgin.im/cgi-bin/mailman/listinfo/devel
>>
>>
> _______________________________________________
> Devel mailing list
> Devel at pidgin.im
> http://pidgin.im/cgi-bin/mailman/listinfo/devel
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://pidgin.im/pipermail/devel/attachments/20131121/2690285c/attachment.html>

More information about the Devel mailing list