Site Navigation

Monday, November 19, 2007

bug 169 - browsers parse 10 digit numbers as IP addresses

Issue: #169
Affects: IE6, IE7, Firefox
Status: [By Design]

At first this appears to be a "feature", but when the consequences of this bug are thought through, it is just one more vector of attack for unwitting surfers to fall prey to.

If you click on the following link (the href is the same as the text you see), it will take you to a web site!

http://1208929639/

Looks familiar?

The trick is, an "evil" site will look just the same:
http://3493960174/

First off, what are these urls? Well, if you take the IPv4 address of any domain, and convert each octet to hex, concatenate the hex value, then convert back to decimal, you'll get a 10 digit number.

As it turns out, IE & Firefox will handle this 10 digit number, resolve the IP Address, and navigate to it.

e.g. This blog post can be accessed by this URL (only in IE!)
bug 169 - browsers parses 10 digit decimal numbers as IP addresses


What this means, is that phishing scams, and any site that wants to lure you into downloading malicious software, now has yet another way to do so. It also means that any spam filtering software, or blacklisting software needs to handle roughly double the ammount of URLs in order to protect users!

(currently running tests on various browsers to determine the number affected)

Example:

//tracert www.youtube.com
// => 208.65.153.238
// => Hex
// D0.41.99.EE
// D04199EE => Decimal
// => 3493960174
//<a href="http://3493960174/watch?v=qItugh-fFgg">Fake Label</a>


Try it here:
Best game ever!


Known Workarounds:
No workaround required. This feature is by design and does not realistically increase the attack surface.


Related Issues: None.