75813 – Warn when opening an HTTP link that has another server in the username and password fields

Bug 75813 - Warn when opening an HTTP link that has another server in the username and password fields

Summary: Warn when opening an HTTP link that has another server in the username and pa...

Status:	CONFIRMED

Alias:	None

Product:	frameworks-kio
Classification:	Frameworks and Libraries
Component:	general (other bugs)
Version First Reported In:	unspecified
Platform:	openSUSE Linux

Importance:	NOR wishlist
Target Milestone:	---
Assignee:	KIO Bugs

URL:
Keywords:

Depends on:
Blocks:

Reported:	2004-02-22 07:52 UTC by Ben Elliston
Modified:	2025-03-24 22:58 UTC (History)
CC List:	3 users (show)

See Also:
Latest Commit:
Version Fixed In:
Sentry Crash Report:

Attachments
Add an attachment

Note You need to log in before you can comment on or make changes to this bug.

Description Ben Elliston 2004-02-22 07:52:57 UTC

Version:            (using KDE KDE 3.1.3)
Installed from:    SuSE RPMs

Many email-based scams rely on tricking users by embedding the expected web server hostbname in the password field of the extended URL syntax, like so:

  mysite.co.nz:actually@anothersite.com/location/page.html

Legitimate URLs that embed usernames and passwords are reasonably rare.  When a user follows a URL from any KDE application that contains a username and password, KDE should pop up a dialog box and clearly state the hostname it intends to connect to and the username/password it will be using, asking for confirmation.  This will help to mitigate such attacks.  If necessary, it could be a preference to pop up a dialog box.

Sorry if I have used the wrong bug reporting category; I had difficulty finding the approporiate category.

Comment 1 Andreas Hartmetz 2009-08-15 20:26:03 UTC

This sounds like a pretty good idea actually. There are other ways to deal with this kind of "scammy URL" though, I'm not sure what's the best.