Bug 75813

Summary: Warn when opening an HTTP link that has another server in the username and password fields
Product: [Frameworks and Libraries] frameworks-kio Reporter: Ben Elliston <bje+keyword+kde.c52785>
Component: generalAssignee: KIO Bugs <kio-bugs-null>
Status: CONFIRMED ---    
Severity: wishlist CC: ahartmetz, kdelibs-bugs-null, nate
Priority: NOR    
Version First Reported In: unspecified   
Target Milestone: ---   
Platform: openSUSE   
OS: Linux   
Latest Commit: Version Fixed/Implemented In:
Sentry Crash Report:

Description Ben Elliston 2004-02-22 07:52:57 UTC 
Version:            (using KDE KDE 3.1.3)
Installed from:    SuSE RPMs

Many email-based scams rely on tricking users by embedding the expected web server hostbname in the password field of the extended URL syntax, like so:

  mysite.co.nz:actually@anothersite.com/location/page.html

Legitimate URLs that embed usernames and passwords are reasonably rare.  When a user follows a URL from any KDE application that contains a username and password, KDE should pop up a dialog box and clearly state the hostname it intends to connect to and the username/password it will be using, asking for confirmation.  This will help to mitigate such attacks.  If necessary, it could be a preference to pop up a dialog box.

Sorry if I have used the wrong bug reporting category; I had difficulty finding the approporiate category.
Comment 1 Andreas Hartmetz 2009-08-15 20:26:03 UTC 
This sounds like a pretty good idea actually. There are other ways to deal with this kind of "scammy URL" though, I'm not sure what's the best.