This spring, Google introduced eight new TLDs, and two of them are creating a little bit of a stink online. The top-level domain “.zip” is also an extension for archive files employing the compression format known as “zip.” Similarly, the TLD “.mov” is also the file format extension “.mov”. So, how can this be abused?
The URL in the codepen below looks legitimate, right?
If you click on the link, it doesn’t actually take you to Microsoft’s website, though. Let’s take a look at a version that does take you to the correct place.
So, what’s the difference between the two? First, the unicode character ∕ (U+2215) mimics / and the first demo is doing that. Second, the @ character is being used to pass the first part of the url as a username.
In the end, the user thinks that the UserInfo part of the URL is the Hostname and most of the Path. This isn’t the first time unicode in URLs has been a security issue. The cyrillic alphabet has a number of characters that look like latin characters and that means that you can switch out an е for an e or switch out a р for a p while registering a domain name. That allows you to build out a functionally identical-looking website.
Have a question, comment, etc? Feel free to drop a comment, below.