[Mini] .ZIP becomes a TLD. Immediately used for Phishing, Data Leaks

[wanderingfool2]

43 minutes ago, LAwLz said:

Can you give me an example where someone would fall for a scam because of this new TLD, but wouldn't fall for it with other TLDs? I just don't see how this poses any new risk that could result in more people being scammed.

Like Jad said, the two examples of before.  Especially if the would be targetter didn't set it up as a hyperlink, instead having it a piece of text that the user has to copy.  It creates something where if you do need to copy paste the url you have to essentially look for the @ now.

 

On top of that, it now means all those auto-hyperlink texts in things such as YouTube comments have now become links.  If someone who is writing a tutorial or some kind of instruction like, "Download the player.models.zip, extract and load into Blender (a few new lines and then an URL to actual zip)".  The comment will now also contain a link to player.models.zip at the Download the player.model.zip portion.

 

The simple fact is this opens up new venues to attack that the general public hasn't been at least trained against.

 

People do still fall for things like go0gle.com or google.com.attachment.zip...but it's a lot more believable for people to fall for https://google.com∕@attachment.zip

[LAwLz]

1 hour ago, jagdtigger said:

You already got those:

 

I happen to know what those @ symbols do but i bet you that even most of the more savvy users dont really know about its function. (Its pretty old after all.) Plus most links look horrendous nowadays with all the tracking and whatnot so have fun looking for that @ symbol.....

No need to act smug and superior. I work with SSH all day and am well aware of what it does.

I don't see how the .zip TLR makes this any more or less dangerous though, or how it enables some unique attack vector that didn't already exist.

Hell, did anyone even try and hover over those links or click on them? If you hover over them it becomes very clear that they do not go to google or Nvidia. They go to attachment.zip. 

Spoiler

If the argument is that "well you only see that if you hover over them" then news flash, this is already the case and has been the case for decades. You can not trust the displayed text because the actual link and the displayed text can be changed interchangeably. This has been the case for well over 20 years already.

www.google.com <- this link does not go to the website www.google.com

 

 

 

 

1 hour ago, rcmaehl said:

The case in which the user has failed internal phishing tests before and now knows better after way too many trainings, but doesn't currently expect .zip to be anything but files.

Can you please explain how the TLD makes a difference in such a scenario?

 

 

  

49 minutes ago, Sauron said:

People are told to check that the URL starts with https: and that they should check the domain to make sure it matches what they want; this way they aren't fooled by the common stuff like http://micro.soft.com or https://www.go0gle.com . They are also often told to look out for "dangerous" file extensions like .exe. Attackers using a .zip tld don't need to trigger any of these defenses with their malicious domain.

 

But that isn't the worst part. People can learn about this and avoid it. What they can't necessarily avoid is a program thinking itself smart by interpreting a file path as a URL. In that case you might be looking to open "openjdk-20.0.1_windows-x64_bin.zip" and have your program navigate to "http://www.openjdk-20.0.1_windows-x64_bin.zip", which may in turn serve it a file that might be dangerous or phish the user.

I think you are greatly overestimating people if you think they not only look at the URLs that carefully, but also know about how a URL can be "spoofed" (the actual link not matching the text displayed), and also know to look out of specifically .exe files. I think the list of criteria where this makes a difference is already pretty long to the point where this scenario wouldn't really happen in the real world.

 

 

Can you give an example of when your second scenario might actually occur, and what consequences it would have? Because I am not aware of any programs that would interpret a file as a URL. The way programs handle files just doesn't work that way. It would have to for some reason cut off part of the file path and then replace it with HTTP://, which I have never seen a program do and I don't see why any program would work that way either.

[Sauron]

14 minutes ago, LAwLz said:

I think you are greatly overestimating people if you think they not only look at the URLs that carefully, but also know about how a URL can be "spoofed" (the actual link not matching the text displayed), and also know to look out of specifically .exe files.

This is what's usually taught in cybersecurity 101 courses for office workers. Obviously that doesn't mean people don't routinely ignore these guidelines but at least there's a chance. Further, a link to a zip file is _common_ in office spaces and does not trigger the suspicion a random link would, even among people who know better. I can't say I triple check every link to a file I get (though I might have to start now), do you?

18 minutes ago, LAwLz said:

Can you give an example of when your second scenario might actually occur, and what consequences it would have? Because I am not aware of any programs that would interpret a file as a URL.

I can think of at least one...

[LAwLz]

31 minutes ago, Sauron said:

This is what's usually taught in cybersecurity 101 courses for office workers. Obviously that doesn't mean people don't routinely ignore these guidelines but at least there's a chance. Further, a link to a zip file is _common_ in office spaces and does not trigger the suspicion a random link would, even among people who know better. I can't say I triple check every link to a file I get (though I might have to start now), do you?

Well, I do check every link but I work with security so we shouldn't really go with what I do. Besides, people do slip up sooner or later.

But what I don't get is how this is relevant to this conversation. A link and a file are two separate things that generally don't mix. They are separate things. 

 

Can you please explain the exact scenario in as much detail as possible where this poses a unique danger that wasn't an issue before?

 

If you're talking about files being sent in an email then my experience is that they are usually attached documents, and you can not attach a URL in that way. So someone getting sent a "file" but it's actually a link can't happen. Even if it was possible, clicking a zip file and having a website open in your browser should raise some alarm bells even for a less tech-savvy person.

 

If someone gets sent a link to a file and the email says "please visit this website to download the file" then the TLD doesn't matter because the user already has to agree to the idea of clicking an unknown link and then downloading files from a website, and at that point I doubt the TLD is the thing that will tip the scale since they already have to have "failed" at several stages and ignored several red flags.

 

 

31 minutes ago, Sauron said:

I can think of at least one...

That's not a program trying to open a file, and it wouldn't actually open the website. It would open Bing.

I don't think the program you described actually exists because it would require very weird programming just to open up a potential vulnerability. 

Searching for something on Bing if the file isn't found is VERY different from "a program getting tricked into visiting a specific website when it should open a file, because the website shares its name with the file". The former is what's happening in your screenshot, and the latter is what you described earlier.

[wanderingfool2]

45 minutes ago, LAwLz said:

If you're talking about files being sent in an email then my experience is that they are usually attached documents, and you can not attach a URL in that way.

There's lots of places that still send links as opposed to attachments; especially for larger files.

 

But if you want a real world example of how I would exploit it (I'm using a doc file because it's easier to write an example of how silly it is)

 

I would create a burner paypal business account; I would then send out invoices to people with the request of funds.

 

Inside the request text, I would write something along the lines of (which PayPal embeds the text into emails)

 

Quote

An invoice for $100 was automatically accepted.

 

Please view the attached invoice at https://paypal.com∕@2023.06.02.invoiceforpayment.doc

 

To dispute this charge please contact us at 1-800-scammer-num

 

100% people will have their guard down more so than if it was some variation of the paypal name...because people have been accustomed to looking at the beginning part of the URL and then also the end portion.

 

 

Other realworld ones as well, again YouTube now adding in comments in the format of [xyz].zip as links.  So again a real world attack would be to find videos that explain how/where to download a file, and now you can just highjack the part where it says download the attachment.zip from below.

 

People will be more inherently trusting of lets say a big named YouTuber on a video that has been around for a long time in trusting the comment...despite them not intending to.

 

 

Or just in general.  Type in attachment.zip into windows File Explorer; it automatically opens the attachment.zip site because it's assuming it's an URL now.

[pbargiona]

I'm convinced there is nothing that can be said to convince you otherwise, @LAwLz. Plenty of argument has been presented and you don't seem to grasp or accept any. You are entitled to your opinion, of course, so I'd like to move on.

 

What have you been doing to prevent the "that user" category of people around you, that would be fooled by these or other attacks, from falling victim to scams?

 

I've been seriously considering a Pi-hole for some time now. But Raspberry Pies or other SBC seem to be quite unavailable in my region.

[Quackers101]

winrar rip, also would it be easier to block .zip?

[Thaldor]

From my point I can agree the .zip TLD does open some new venues but it's a drop in the ocean and people are making it to be a too huge thing.

 

Like seriously if we zoom out and look at the bigger picture phishing with URLs is pretty marginal thing because mostly you don't need to go that far. Just put up a site "free-iphone.hosting.com" promising iphone for the shipping costs asking CC infos and send 1M emails and you are swimming in legit CCs to empty or why there is so much bots in YT scamming is simply that it works. The .zip TLD does something but like marginally anything when people are generally even more stupid than you ever could imagine.

 

And when it comes to TLDs, there is bigger things than what are their imagined pronouns. Like that we should have some organization or company ACTUALLY maintaining them. Like holy IKEA s***balls, world is exploding because .zip TLD and probably still daily some company domain even in .com gets f***ed up because NO ONE ACTUALLY GOES THROUGH THE F***ING REGISTRATION APPLICATIONS and it's all automated because profits. Like seriously, all it takes for Alphabet to miss one time to renew the Google.com registration and it being available for 1 minute (or less, I would guess there's probably enough bots pinging that registration that if it's open for 1 second, it's already gone) and we have the world's biggest problem going on until someone at Verisign wakes up and starts the damage control and returning the Google.com to Alphabet.

Not to even start with the ability to register "free-iphone-google.com" or "freeiphonegoogle.com", Verisign is very happy to receive your money and there's no problem as long as the chosen letter combination is free for taking. And then we have .whatevers with even less organized management.

Ranting:

Spoiler

The area between "falling to scams, no matter what website" and "knows what URL is and can evade scams based on URLs" is huge but the area between the later and "Actually knows enough about URLs to notices .zip TLD" is pretty damn small. And IMO the teaching shouldn't be about "how to evade scam sites" but about "how to spot the legit sites" and for the low-level "Do not press links coming from unknown sources". We have bigger problems down on the "street level" and up on the "tech level" than what .whatever new TLDs even ones for known files can open, like seriously if one employee working under you, with you, on you, inside you, even tries to open .zip file from unknown source, get as far from them as possible, fire them or at least teach them the very basic thing to not even click on links from unknown origins, downloading files from unknown sources and, the least, opening ANY file from unknown source.

 

If you want to deep dig into these things I can recommend Jayson E. Street's DEFCON talks. In summary he mostly wants to underline the fact that we live in the skies thinking all technical jargon and magic spells, while in reality, you don't need any of that to get in, steal everything, kill everyone and cause millions in damages.

All you need is smile, confidence and sometimes big box or ladders (not for climbing, that's way too physical,  just to look like needing someone to hold the door open). Like in this case we are focused on people mixing up .zip-files and .zip TLD, while the real thing is you don't need either, just put "1$ iPhone, type your CC, phone number, address, the birth dates of your children, social security number, banking informations, passwords and the phone number of your dogs vet clinic to buy your 1$ iPhone" and there's more than enough people falling for it and you have a ton of vet clinics to choose from and you can probably even put the treatments on the people who kindly recommended the clinics for you, even if you don't even have a dog but a hamster.

 

More ranting:

Spoiler

On the top level we have the problems for which no one even wants to do anything because fixing them would slow down things and most of them would hurt someones underlines. Like imagine only the pain, frustration and madness that would come from waiting weekend or even a week for someone to go through your application and say "Your paperwork checks out, you ain't trying to scam anyone or claim to be someone else, the domain is available and not mistakenly expired a second ago, you can register clapthataverageelfbottom.zelda. Have fun building website!" We should start to harden the very basic protocols, maybe create whole new protocols, against stuff like DDoS attacks and other low level stuff that can be somewhat mitigated with robusting the base. Even if it was to cost the whole income of certain companies.

 

We are starting to be at the point where we really need to make changes, not just patches and updates, but actually ditch old s**t and come up with new stuff that serves us now and are better designed to last the next decade or two. Just like the whole ATX3.0 garbage, what is the point of doing half a**ed work if we need to make huge changes that eitherway are going to require changing everything? You are going to need to buy new PSU, MB, GPU and everything to take all out of the ATX3.0 when the time comes, why it must use the same flimsy connectors from the 60's that, well, they work but there's a lot of things that could be improved? Oh yeah, it would cost like 50 cents more per GPU to use completely new connector with safety clamps, guide rails and beefed up insides, we cannot afford that with $2000 GPU.

 

[Sauron]

17 hours ago, LAwLz said:

That's not a program trying to open a file, and it wouldn't actually open the website. It would open Bing.

That's not true. Try it. Type in financialstatement.zip and press enter.

 

And yes, it's absolutely something you might do while trying to open a local file. Is it partially just asinine design on Microsoft's part? Yes. Is it now a security problem whereas before it was just annoying? Also yes.

17 hours ago, LAwLz said:

If someone gets sent a link to a file and the email says "please visit this website to download the file" then the TLD doesn't matter because the user already has to agree to the idea of clicking an unknown link and then downloading files from a website, and at that point I doubt the TLD is the thing that will tip the scale since they already have to have "failed" at several stages and ignored several red flags.

The user might know that the text of the hyperlink doesn't necessarily correspond to the actual link and check; with a .zip tld you don't need to hide the real link because it looks genuine. I occasionally get emails from colleagues with instructions on how to install something that include downloading some file from a hyperlink, it wouldn't be that weird to get a link to a zip file and if their email account was compromised it could be malicious. Maybe you or I could tell that that link from a supposedly trusted source is fishy but I assure you the vast majority of people wouldn't.

[jagdtigger]

22 hours ago, LAwLz said:

No need to act smug and superior. I work with SSH all day and am well aware of what it does.

I think you mix up frustration with those, you keep repeating "i dont understand" like a broken record even though its pretty much clear to anyone else here...

 

22 hours ago, LAwLz said:

If the argument is that "well you only see that if you hover over them" then news flash, this is already the case and has been the case for decades.

Get off the high horse and try to learn how a normie thinks. And rest assured they either dont know about it or dont care for it...... (And just for good measure that is only true for desktop browsers, good luck on a phone or tablet.)

[LAwLz]

21 hours ago, wanderingfool2 said:

There's lots of places that still send links as opposed to attachments; especially for larger files.

 

But if you want a real world example of how I would exploit it (I'm using a doc file because it's easier to write an example of how silly it is)

 

I would create a burner paypal business account; I would then send out invoices to people with the request of funds.

 

Inside the request text, I would write something along the lines of (which PayPal embeds the text into emails)

Quote

An invoice for $100 was automatically accepted.

 

Please view the attached invoice at https://paypal.com∕@2023.06.02.invoiceforpayment.doc

 

To dispute this charge please contact us at 1-800-scammer-num

 

100% people will have their guard down more so than if it was some variation of the paypal name...because people have been accustomed to looking at the beginning part of the URL and then also the end portion.

And what would this achieve exactly?

It would show up in their email as a link to 2023.06.02.invoiceforpayment.doc because everything before @ does not appear as part of the URL, because it isn't part of the URL. I showed this in my previous response. So anyone inspecting the actual link would see that something was off. The people who don't inspect the link would be equally fooled by someone making a HTML edit to make the link appear as something else.

Again, the text and the link do not need to match. Anything that relies on the text being displayed a certain way is already a vulnerability and always has been. The only way to be sure is to inspect the link itself. For everything else, it does not matter how the URL looks because how it looks has always been editable.

 

 

21 hours ago, wanderingfool2 said:

Other realworld ones as well, again YouTube now adding in comments in the format of [xyz].zip as links.  So again a real world attack would be to find videos that explain how/where to download a file, and now you can just highjack the part where it says download the attachment.zip from below.

 

That is an actual real-world possibility of a new exploit. I just don't think it is that big or dangerous, and it could literally happen with any new TLD, not just .zip.

 

 

21 hours ago, wanderingfool2 said:

Or just in general.  Type in attachment.zip into windows File Explorer; it automatically opens the attachment.zip site because it's assuming it's an URL now.

4 hours ago, Sauron said:

That's not true. Try it. Type in financialstatement.zip and press enter.

Wow, Microsoft shitty software never ceases to amaze me. I don't see how this could be exploited though, and it is not what was mentioned earlier. Earlier the argument was that a program would treat a file as a link. That is not what is happening in the search box. What it does is treat a URL as a URL, because the search box is a URL field.

[LAwLz]

21 hours ago, pbargiona said:

I'm convinced there is nothing that can be said to convince you otherwise, @LAwLz. Plenty of argument has been presented and you don't seem to grasp or accept any. You are entitled to your opinion, of course, so I'd like to move on.

 

What have you been doing to prevent the "that user" category of people around you, that would be fooled by these or other attacks, from falling victim to scams?

 

I've been seriously considering a Pi-hole for some time now. But Raspberry Pies or other SBC seem to be quite unavailable in my region.

There is a difference between making an argument, and actually making a plausible scenario that poses a real threat.

I don't accept them because the arguments that have been presented have been incomplete (not explaining the entire attack chain) or failed to explain precisely what makes them unique to the .zip domain.

 

I don't think this new .zip domain suddenly requires brand new ways of dealing with scams because I think the threat is just as big now as it was before, and the same methods need to be deployed to counter this.

To me, this new TLD makes absolutely zero difference. The advice is still, be very careful with what you download and which websites you visit. Don't click on random links. Control the entire URL to make sure it is safe (so that you don't fall for freeiphone.apple.com.winner.prize/claim-reward-now or freeiphone.apple.com).

 

 

  

21 hours ago, Quackers101 said:

winrar rip, also would it be easier to block .zip?

I would advise against blocking an entire TLD, because you don't know what it will be used for.

If you block this because I won't visit websites with that TLD" then one-day things on your PC might stop working because in the back-end they might be fetching things from that TLD without you even knowing. In this particular case, maybe WinRAR or 7-Zip decide to move their update URL to update.zip or whatever, and then you stop getting updates, possibly without even noticing.

 

 

 

 

By the way, I think it is worth mentioning that I am not the only one who thinks people are losing their shit over this for nothing.

If you ask actual security professionals most of them will probably tell you that this is not a big deal. Most of the fearful people seem to be people who don't work with security.

Look at people like SwiftOnSecurity and they will tell you "it's unnecessary", but not actually a serious security threat.

The keywords being "minor phishing tricks". There are already a billion minor phishing tricks out there. One more won't make a big difference.

 

Or people like Eric Lawrence, one of Microsoft's security engineers:

 

Google themselves do not think this is a risk either, because these risks already existed.

Eric even went as far as to write an entire blog post where he mentions several name collisions that already exist, including .com which is a file extension predating the Internet itself, or .pl which is both for perl scripts and Poland's TLD. Or .sh which is a shell script, or Saint Helena's TLD. Or .rs which is a rust source file or Srbia's TLD. or .py which is for Python files and Paraguay's TLD.

 

I could probably list like 15 cases where a TLD is the same as a popular file extension and has been that way for years upon years.

[Sauron]

15 minutes ago, LAwLz said:

Wow, Microsoft shitty software never ceases to amaze me. I don't see how this could be exploited though, and it is not what was mentioned earlier.

Hang on, you don't see how redirecting someone to a site they didn't intend to visit could be exploited for phishing?

15 minutes ago, LAwLz said:

Earlier the argument was that a program would treat a file as a link. That is not what is happening in the search box. What it does is treat a URL as a URL, because the search box is a URL field.

Maybe that's what you got from my post but that's not what I meant. I said "file path", not file:

Quote

What they can't necessarily avoid is a program thinking itself smart by interpreting a file path as a URL.

anyway it's pretty clear in my opinion that this is a security problem that was at least far less present before. The last thing you expect when trying to look for an archive on your computer is for the windows search bar to redirect you to a phishing site. It doesn't look like a normal phishing attack and people with rudimentary anti-phishing training would not be likely to spot it. Just have your scam site present itself as google drive or microsoft onedrive and they may not think twice before "logging in" to access their file.

[wanderingfool2]

3 hours ago, LAwLz said:

And what would this achieve exactly?

It would show up in their email as a link to 2023.06.02.invoiceforpayment.doc because everything before @ does not appear as part of the URL, because it isn't part of the URL. I showed this in my previous response. So anyone inspecting the actual link would see that something was off. The people who don't inspect the link would be equally fooled by someone making a HTML edit to make the link appear as something else.

Again, the text and the link do not need to match. Anything that relies on the text being displayed a certain way is already a vulnerability and always has been. The only way to be sure is to inspect the link itself. For everything else, it does not matter how the URL looks because how it looks has always been editable.

It doesn't show up as a link, it would show up as text which people would copy paste; especially when the text appears from an official paypal email and looks like it's from paypal.com

 

Also it 100% makes a difference in how the URL looks as well, sure a link in the browser will now say like https://attachment.zip but it's a lot more likely that people still get fooled by that than seeing something like gle.com

 

3 hours ago, LAwLz said:

Wow, Microsoft shitty software never ceases to amaze me. I don't see how this could be exploited though, and it is not what was mentioned earlier. Earlier the argument was that a program would treat a file as a link. That is not what is happening in the search box. What it does is treat a URL as a URL, because the search box is a URL field.

Call up someone and tell them to hit the start button and type attachment.zip.

 

You now have directed them to a site, and payload.  It's easier to exploit as many wouldnt be thinking it's sending them to a website

 

 To put it in perspective, if you tell someone to type attachment.com into their windows search they will most likely have a better whereabouts...tell them with something that is typically considered a file type to most people and they would be a lot easier to convince

[LAwLz]

On 6/3/2023 at 4:57 PM, jagdtigger said:

Get off the high horse and try to learn how a normie thinks. And rest assured they either dont know about it or dont care for it......

Are you seriously accusing me of being the one "on a high horse"? Did you read your own post?  

On 6/2/2023 at 5:08 PM, jagdtigger said:

I happen to know what those @ symbols do but i bet you that even most of the more savvy users dont really know about its function.

 

 

On 6/3/2023 at 4:57 PM, jagdtigger said:

And rest assured they either dont know about it or dont care for it...... (And just for good measure that is only true for desktop browsers, good luck on a phone or tablet.)

And in those cases this literally makes ZERO difference because if you can not inspect the actual link then it does not matter at all what the link says. 

If you do not inspect the actual link (looking at the link in the bottom corner on a desktop browser, checking the page source, or something along those lines) the way I showed then you have never been safe clicking on a link, because it has been possible to make a link appear however you want for decades.

If you do not look at the actual link itself (not the text that appears on your screen) then you would have no idea that this link www.google.com does not go to the same website as this link, www.google.com.

 

If we accept the arguments that people trust something that ends with .zip, and the argument that people do not inspect the actual hyperlinks and instead just look at the text displayed, then we must also accept that someone would have clicked on this link: attachment.zip which is a link that I can make go to any website I want. This is not new. This was possible before .zip became a TLD. Hell, I can do it with any file extension I want. attachment.png.

 

The simple fact is that the only way to be sure what a link goes to is to look at the link itself, not the text presented to you. if you haven't done this before then this new top-level domain makes zero difference. This has not changed. Did you not inspect the links themselves before clicking on them? Then you have never been safe, and this does not change that. 

 

 

Also, let me just reiterate one of the points I made earlier. You will find few security professionals that actually think this is a big deal. Of course, some might (there is rarely 100% consensus, some doctors will speak out against the covid vaccine too), but the majority I have spoken to and follow would at most say this is "unnecessary" but that's about it. The people who are reacting the strongest to this seem to be people who have little to no experience with IT security and are drumming up drama and fear because it generates clicks, which is what they make money from.

[alextulu]

If you want to host a website called example.com with Apache, the default URL is example.com/index.php, but you can change it to be example.com/index.aspx (make it look like you're using IIS) or example.com/index.html or example.com/index or just example.com or even example.com/index.zip which will open a webpage instead of downloading a file. (and it's more effective, since it looks more legitimate than example.zip)

This scam was already possible without a TLD, but for some reason scammers didn't think to do this.

I think somebody at Google noticed this and decided to get scammers to buy new domains from them before they realize they can just change the file extension for free on their existing domains instead.

I think Google scammed the scammers.

[jagdtigger]

1 hour ago, alextulu said:

This scam was already possible without a TLD, but for some reason scammers didn't think to do this.

No it wasnt, read the whole topic.

[alextulu]

17 minutes ago, jagdtigger said:

No it wasnt, read the whole topic.

Not everything.

Without a zip TLD, an automatic hyperlinker won't convert example.zip to a link, but you can still have example.com/index.zip as a webpage instead of a zip file.

I forgot about automatic hyperlinkers.

[jagdtigger]

1 minute ago, alextulu said:

Without a zip TLD, an automatic hyperlinker won't convert example.zip to a link, but you can still have example.com/index.zip as a webpage instead of a zip file.

Still missing the point, that method still raises the red flag because of the domain, but with a .zip and the old function of the @ symbol you can make genuine looking urls......

[LAwLz]

8 hours ago, jagdtigger said:

Still missing the point, that method still raises the red flag because of the domain, but with a .zip and the old function of the @ symbol you can make genuine looking urls......

See:

21 hours ago, LAwLz said:

If we accept the arguments that people trust something that ends with .zip, and the argument that people do not inspect the actual hyperlinks and instead just look at the text displayed, then we must also accept that someone would have clicked on this link: attachment.zip which is a link that I can make go to any website I want. This is not new. This was possible before .zip became a TLD. Hell, I can do it with any file extension I want. attachment.png.

 

 

8 hours ago, alextulu said:

Not everything.

Without a zip TLD, an automatic hyperlinker won't convert example.zip to a link, but you can still have example.com/index.zip as a webpage instead of a zip file.

I forgot about automatic hyperlinkers.

As pointed out by Eric Lawrance, links are not automatically generated unless a developer specifically adds that function for that particular TLD. We currently have almost 1500 different TLD and only a few of them actually gets included in the automatic link generation in programs. Chances are this won't be an issue unless developers start actually making it an issue, and it might be a good idea to not treat everything that contains .zip as a link. Not because it creates some unique security vulnerability that poses a bit threat, but because it might be annoying (and a very, very, slight security risk).

[wanderingfool2]

On 6/3/2023 at 3:23 PM, LAwLz said:

If we accept the arguments that people trust something that ends with .zip, and the argument that people do not inspect the actual hyperlinks and instead just look at the text displayed, then we must also accept that someone would have clicked on this link: attachment.zip which is a link that I can make go to any website I want. This is not new. This was possible before .zip became a TLD. Hell, I can do it with any file extension I want. attachment.png.

You are ignoring the argument that people are making though by trying to strongarm in what you think people are talking about.

 

No one is talking about people seeing things like www.google.com/attachment.zip and just automatically trusting that the hyperlink is what the text is.

 

It preys on people trusting companies like google or microsoft along with the fact that people don't associate .zip with things like websites but associate them more with .com

 

Again, a real world attack would be lets say setting up an invoice in paypal with a https://paypal.com∕@disupute.charges.doc in the text.  It is text not a hyperlink and yes you would get a whole lot more people feeling that it would be safe to copy paste the link

Or even posting on a forum board, instead of offering up the link as a hyperlink instead just pasting it plain.  So someone having difficulty with lets say Windows Update, and someone posts advice like
Microsoft issued a hot fix that might work you can find it at https://microsoft.com∕updates∕@2023.06.24.hotfix.zip

 

It's something that really could be done that well before without being a lot more obvious

 

Even IF you assume it's a hyperlink though, the difference as well behind like a go.ogle.com and a www.google.com/@update.zip would be that you see "ogle.com" vs "update.zip"...which I'm willing to bet will still trip up more users because they associate zip as a file extension not a website.  That's the bit which I think will trip up the casual users who do mouse over the link

 

Or again, it's a whole lot easier asking someone to just type in updates.zip into the startmenu searched if you were to phone them up than it would be for them to type in attachment.com into there.

 

10 hours ago, LAwLz said:

As pointed out by Eric Lawrance, links are not automatically generated unless a developer specifically adds that function for that particular TLD. We currently have almost 1500 different TLD and only a few of them actually gets included in the automatic link generation in programs. Chances are this won't be an issue unless developers start actually making it an issue, and it might be a good idea to not treat everything that contains .zip as a link. Not because it creates some unique security vulnerability that poses a bit threat, but because it might be annoying (and a very, very, slight security risk).

We already have YouTube starting to do it.  So it's already opened it up.

[LAwLz]

43 minutes ago, wanderingfool2 said:

-snip-

So let me get this straight.

You don't think that requiring people to copy and paste clear text instead of clicking a link would raise some red flags for users? And then when they actually do paste the link into the browser, they would completely ignore the URL bar and not notice that they went to a different website? Because it would be very obvious because everything on the left side of the @ sign would disappear since that is not part of the URL.

 

A URL like:

microsoft.com∕updates∕@2023.06.24.hotfix.zip

would show up as this in the browser's URL bar:

2023.06.24.hotfix.zip

 

 

 

I find the entire scenario you are painting to be completely ridiculous. It is not a real threat. Even in your own scenario, you are raising like 3 new red flags that wouldn't be necessary in a typical scam. And as I have now said several times, professional security experts (not just me) do not consider this a big risk. Some might, but most don't. You do not have to worry, this isn't a big deal. 

[cooky560]

Honestly I can see why this could trip people up, but remember that .com is a file type too, and that has been a TLD for a very long time, and hasn't been an issue.

 

The bigger question is less security and more "why is this necessary" is there a shortage of domain names available using the huge range of tlds already out there?

[jagdtigger]

3 hours ago, cooky560 said:

, but remember that .com is a file type too

Except that one is an executable file, not a harmless archive....

  

18 hours ago, LAwLz said:

Chances are this won't be an issue unless developers start actually making it an issue

Ah yes because if its not a hyperlink it cannot be used to trick people, pull your head out of the sand.

[LAwLz]

36 minutes ago, jagdtigger said:

Ah yes because if its not a hyperlink it cannot be used to trick people, pull your head out of the sand.

What do you mean?

 

Of course it can be used to trick people, but the point is that it doesn't enable anything that isn't already possible, and on top of that there are already hundreds of ways of tricking people. This makes next to no difference. The idea that this is somehow very bad and dangerous is an idea pushed by bloggers and non-security people to try and get clicks.

It really is a nothing burger.