[34828] in bugtraq
Status bar exploit hides spoofed URLs Eudora, possibly other
daemon@ATHENA.MIT.EDU (Brett Glass)
Sat May 8 14:34:32 2004
Message-Id: <6.0.0.22.2.20040508105828.05ba7978@localhost>
Date: Sat, 08 May 2004 11:10:08 -0600
To: bugtraq@securityfocus.com
From: Brett Glass <brett@lariat.org>
In-Reply-To: <200405070210.i472AxU368809@milan.maths.usyd.edu.au>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Eudora (as well as, possibly, other e-mail clients) is susceptible to an
exploit which can be used to conceal a fraudulent URL. In a fraudulent
("phishing") spam I received this morning, the sender inserted a large
number of character entities (in this case, spaces, coded as  ) into
the middle of a URL to force the remainder off the right side of the
status bar, hiding the true destination:
<a href="http://www.e-gold.com�
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
@egegold.com/"><span lang=EN-US
style='mso-ansi-language:EN-US'>http://www.e-gold.com/alert</span></a><br>
When the mouse pointer is passed over the URL, the status bar at the
bottom of the screen shows
http://www.egold.com
and does not reveal the spoofed URL. One must view the message source to
see the actual URL.
This technique is known to work on some browsers, but this is the first
time I've seen it used to spoof e-mail clients.
I am told that if the URL gets much longer, recent versions of Eudora
will overflow a buffer in a way that is exploitable by malware. This
particular phishing expedition doesn't seem to take advantage of that
vulnerability, hoever.
--Brett Glass
