The result is a URL similar to: http://1249717651/

As you see, there is no real way to know whether your on the Official Google web page or if the site you are at is an attack site waiting for you to do something.

All your URL are belong to us

You can easily place a random website location as a username in front of the dotless IP which would really confuse the user. In this example, I will show you how to forge the www.bing.com URL but really direct the user to Google.com:

See hyperlink: http://www.bing.com:\@1249717651

Browser inSecurity

Ok so, now that you understand how simple URL obfuscation is; what security do browsers implement to prevent us from accidentally clicking on a malicious link?

With FireFox 3.6

Because the spoofed URL is actually a username that is being concatenated with the dotless IP, FireFox checks whether the site requires authentication. The default installation prompts the user with an alert letting them know the link is suspicious because the requested server does not require authentication however the link contained a login.

With IE7/8, using authentication in line is turned completely off.

Hacking the Gibson

Ok, so we understand there is a potential hazard with spoofed URL’s and we also see that browsers attempt to protect us by either prompting us with a message or disabling the opportunity all together. But just how secure is that? How easy would it be for a trojan to re-enable those features in our favorite browser for future contamination of URL’s?

IE7/8 Instability

Since Microsoft loves to store settings in the registry for just about everything, I am sure you won’t be surprised to know that by adding 2 simple entries in the registry you can re-enable this “feature”.

All you have to do is create 2 new DWORD entries (iexplore.exe and explorer.exe) with the value 0 under the sub-key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE

How Firefox flops

Of course Firefox is going to be a little bit more tricky because it doesn’t store its preferences in the registry. The little warning message can be completely disabled by simply setting a custom preferences within Firefox by accessing the settings through typing, about:config in the address bar but that won’t work for our circumstance.

The problem with this is that an attacker that has already infiltrated a machine can overwrite these browser profile settings by injecting a custom setting into prefs.js which is the preferences Firefox loads during initialization.

user_pref(“network.http.phishy-userpass-length”,100);

With a simple one-liner batch script, this feature can be enabled leaving future links prone to becoming spoofed.

• WindowsXP
  FOR /R “C:\Documents and Settings” %%G IN (prefs.js) DO echo user_pref(“network.http.phishy-userpass-length”,100); >> %%G

• Vista/7
  FOR /R “C:\USERS” %%G IN (prefs.js) DO echo user_pref(“network.http.phishy-userpass-length”,100); >> %%G

And then there was Chrome

As frightening as this might sound, Chrome did not protect the user from this at all. Google is usually on-top of things but I guess with Chrome still being fairly immature in the browser arena, we can only hope things get better from here.

Leaving users with their pants down

Why do browsers make it so easy to re-enable this stuff? Firefox preferences should be in a controlled environment behind lock and key. Microsoft IE should at least prompt when a suspicious link is clicked. With the rise in crime-ware Trojans, harvesting bank credentials is going to get easier and easier for criminals.

Under normal circumstances we would notify the vendors to let them know the vulnerability but because this attack vector has been addressed in the previous years, the re-enabling of the functionality is more of a design flaw then a vulnerability.

What’s Next?

You should periodically check whether or not these settings are enabled. New age trojans, such as ‘Koobface’ are using these oldschool tricks to mask their true locations (See Webroot).

I published a utility called ‘Dotless’ which will scan and fix your browser preferences. Check it out in the Utilities Section

Stay tuned as we peek into how this bug is easily exploited on mobile devices.

Since these types of applications store sensitive data, I wanted to see how hard it was to obtain this information assuming a handset was lost or stolen.  The common denominator between all the popular apps were the use of a master password. Some of the apps stored master passwords locally while others stored them remotely. All the apps stored banking information, passwords, and credit card numbers.

With being able to turn off your SIM card if your phone is lost or stolen; its not as easy to change passwords to sites or notify banks of accounts that could have been compromised.

With such a major number of users adding Android MOD’s such as Cyanogen to their device, it greatly increases the risk of personal information being leaked when a phone is stolen or lost.

We have already started notifying vendors of the vulnerabilities we have found.  Stay tuned as we start posting some of the results, you will be surprised at just how easy these applications could be compromised by attackers.

Stay tuned as I start over-turning evidence in hopes of inspiring others to take it further.