Impressive, eh? What you’re experiencing is the latest Security bug (as reported by ZDNet and many others). This is very severe, as it would be easy to direct you anywhere, when you think you’re accessing, say, PayPal or your online banking account

This Exploitation takes advantage of the fact that a username and password may preceed the domain name for http authentication. The following URL, for example, would authenticate the user foo with the password secret on the site barnesandnoble.com:

 http://foo:secret@barnesandnoble.com 

Still, you would see all that information in the URL. But you may ommit the password; and the username may look like a URL:

 http://amazon.com@barnesandnoble.com 

May still look confusing, and may actually mislead users, but still, the information is there. However, if right before the “@” you’d insert an ASCII 1 followed by an ASCII 0, everything after (and including) the “@” will be ommitted. Of course this happens only if you use IE. So go ahead on download Mozilla today!

1 Comment
  1. Not only explorer – Mozilla (1.2.1) does show the full address in the address bar, but only http://www.amazon.com in the status bar when pointing at the link.
    Still something better, but not perfect at all.