469930 – Scam detection: Consider misleading substitute characters in URL userinfo

Bug 469930 - Scam detection: Consider misleading substitute characters in URL userinfo

Summary: Scam detection: Consider misleading substitute characters in URL userinfo

Status:	REPORTED

Alias:	None

Product:	kdepim
Classification:	Applications
Component:	messageviewer (show other bugs)
Version:	GIT (master)
Platform:	unspecified All

Importance:	NOR normal
Target Milestone:	---
Assignee:	kdepim bugs

URL:
Keywords:

Depends on:
Blocks:

Reported:	2023-05-18 08:29 UTC by Mia Herkt
Modified:	2023-05-18 08:29 UTC (History)
CC List:	0 users

See Also:
Latest Commit:
Version Fixed In:

Attachments
Add an attachment

Note You need to log in before you can comment on or make changes to this bug.

Description Mia Herkt 2023-05-18 08:29:15 UTC

Recently, some new gTLDs like .zip have been getting a lot of attention, with people pointing out how easily they can be used to mislead users. One the ways this can be done is to use the @ symbol and characters like ∕ (U+2215 DIVISION SLASH):

https://download.kde.org∕stable∕krita∕5.1.5∕@kritax64515.zip

The above URL leads to a domain called kritax64515.zip – what looks like a path on the download.kde.org domain to an unsuspecting user is merely the userinfo subcomponent of that URL.

It is probably a good idea to try and detect this.