browsers parse 10 digit numbers as IP addresses
Affects: IE6, IE7, Firefox
At first this appears to be a "feature", but when the consequences of this bug are thought through, it is just one more vector of attack for unwitting surfers to fall prey to.
If you click on the following link (the href is the same as the text you see), it
type 1208929639 in address bar
will take you to a web site! GOOGLE
http://1208929639/
Looks familiar?
First off, what are these urls? Well, if you take the IPv4 address of any domain, and convert each octet to hex, concatenate the hex value, then convert back to decimal, you'll get a 10 digit number.
As it turns out, IE & Firefox will handle this 10 digit number, resolve the IP Address, and navigate to it.
e.g. This blog post can be accessed by this URL (only in IE!)
browsers parses 10 digit decimal numbers as IP addresses
What this means, is that phishing scams, and any site that wants to lure you into downloading malicious software, now has yet another way to do so. It also means that any spam filtering software, or blacklisting software needs to handle roughly double the ammount of URLs in order to protect users!
(currently running tests on various browsers to determine the number affected)
Example:
//tracert www.google.com
// => 72.14.205.103
// => Hex
// 48.0E.CD.67
// 480ECD67=> Decimal
// => 1208929639
//Fake Label
Subscribe to:
Post Comments (Atom)
1 comment:
I really don't think that this could be a threat to anyone. It is just similar to typing www.google.com. I really don't think that it is a security concern.
Post a Comment