One of the standards that has been part of web browsing for years is a method of including a username and password in a hypertext link, in order to facilitate being able to conveniently logging into a protected site. For instance, were my site password-protected, one could add username:password@ to the beginning of the web address, creating a link that looked like http://username:password@www.michaelhanscom.com/ in order to log in with a single click.
The downside to this is that because that information is optional and not always used, a web browser ignores any characters up to and including the ‘@’ symbol if they are included in a link, as they are not part of the address being requested. The target webserver will also ignore those characters if it is not configured to require login information to access its hosted web pages.
This has led to one of the more common forms of ‘link spoofing’ — I’ve seen it myself in hoax e-mails purporting to be from PayPal. The perpetrator will create a false page on a webserver they control that appears to be a page on PayPal’s site that asks for the victims credit card information. They will then create an e-mail also formatted to appear as if it came from PayPal, asking the victim to log in and verify their information. When they give a URL to click, it will look something like http://www.paypal.com@12.345.67.890/verify.html — which to many people, appears to go to PayPal’s site. However, because the browser is ignoring the ‘@’ and everything before it, the browser is actually pulling a page from the IP address 12.345.67.890 and not from PayPal, and any credit card information they enter into that page will go not to PayPal, but to some anonymous criminal taking advantage of people’s ignorance of how the web works to collect useable credit card numbers.
Making the matter worse, versions of Internet Explorer prior to 6.0 (Service Pack 1) on the PC had a bug where if a (false) web address was included in a link before the @ symbol, that address would display in the browser’s address field rather than the address of the site actually being visited. In other words, in the above example, the user would see http://www.paypal.com/ in their web browser address field rather than http://12.345.67.890/. This bug has been fixed in IE 6.0sp1, but far too many people have yet to upgrade.
Microsoft, in their infinite wisdom, has decided that enough is enough, and are taking steps to combat this type of hoax. How are they doing this? Not by attempting to educate their customers in any way, releasing a patch for other versions of IE to fix the bug, or by adding a simple ‘This type of URL may be dangerous’ warning dialog when links formatted this way are clicked (something that I think would be fairly easy to add — just scan the link to see whether or not it follows the username:password format before the @ symbol; if it doesn’t, pop up an alert box). No, instead of any of those options, they’re breaking the long-standing standard.
To mitigate the issues that are discussed in the “Background information” section of this article, Microsoft plans to release a software update that removes support for handling URLs of this form in Internet Explorer and Windows Explorer. After you install this software update, Windows Explorer and Internet Explorer do not open HTTP or HTTPS sites by using a URL that includes user information. By default, if user information is included in an HTTP or an HTTPS URL, a Web page with the following title appears: Invalid syntax error
Great idea, guys.
Update: According to CodePoetry, it appears that Microsoft may actually be following standards, and the use of usernames and passwords in URLs is officially discouraged. If that’s the case, then…well, that’s that. I guess it’s not such a bad thing after all (if a little inconvenient in some instances).
And here’s another goodie: there are a few other various ways that malicious people can craft, hide, and spoof URLs that take advantage of bugs in various versions of IE so that the URL displayed in IE’s address bar is not the URL of the site actually being visited. Microsoft has issued a tech note explaining that the most effective way to be sure that you are visiting the sites you really want to visit is to simply type the address into IE’s address bar manually.
So, to be absolutely sure that you are visiting the two Microsoft Support documents that I’ve linked above, please do not click on the links. Instead, move your cursor into IE’s address bar, click and select the displayed address, hit ‘Backspace’ to erase that, and type the following two URLs manually into the address bar:
http://support.microsoft.com/default.aspx?scid=kb;%5bLN%5d;834489http://support.microsoft.com/default.aspx?scid=kb;[ln];833786
No typos now!
There. Don’t you feel better, safer, and more secure now?
I know I do. But then, I haven’t used Internet Explorer in ages.
(via codepoetry and Mark Pilgrim)
iTunes: “Vinegar and Salt” by Hooverphonic from the album Magnificent Tree, The (2000, 3:20).
