Bug 469930

Summary: Scam detection: Consider misleading substitute characters in URL userinfo
Product: [Applications] kdepim Reporter: Mia Herkt <mia+kde>
Component: messageviewerAssignee: kdepim bugs <kdepim-bugs>
Status: REPORTED ---    
Severity: normal    
Priority: NOR    
Version: GIT (master)   
Target Milestone: ---   
Platform: unspecified   
OS: All   
Latest Commit: Version Fixed In:
Sentry Crash Report:

Description Mia Herkt 2023-05-18 08:29:15 UTC 
Recently, some new gTLDs like .zip have been getting a lot of attention, with people pointing out how easily they can be used to mislead users. One the ways this can be done is to use the @ symbol and characters like ∕ (U+2215 DIVISION SLASH):

https://download.kde.org∕stable∕krita∕5.1.5∕@kritax64515.zip

The above URL leads to a domain called kritax64515.zip – what looks like a path on the download.kde.org domain to an unsuspecting user is merely the userinfo subcomponent of that URL.

It is probably a good idea to try and detect this.