URL Authentication Spoofing

This is the kind of bug that affects a tonne of stuff but no one will pay a bounty for. It will allow you to spoof domains in links and it works in Outlook, Teams, Slack etc. The principle is that HTTP supports basic authentication via a URL. Meaning, you can create links that authenticate you to a website. The links look like this:

https://username:password@website.com

People expect whatever follows the protocol (https://) specification to be the target website so, we can goof on that expectation by doing something like this:

https://website.com:password@evilwebsite.com

This will work some of the time but we can improve on it with some character padding. To really make it convincing we’d need to add slashes (/) after website.com but, this breaks the username:password scheme so we need to use something that looks like a slash but is not; here is where we source our Unicode character “Ⳇ” (alternatives are available). It looks like a slash “/” but it isn’t a slash so the URL parser in browsers and chat programmes will treat it like a part of the username:password portion.

A Very Heavy Metal Proof-of-Concept

https://www.metallica.comⳆ:mediaⳆ202404_Steeds-verfijndere-cyberaanvallen_tcm16-228031.pdf@th.bing.com/th/id/OIP.9y2RCRN-7LWEeD6JkHLCfwHaHa?rs=1&pid=ImgDetMain

So you can use this to make people think they’re going to one thing (a website for the world’s most rockin dad-band) and instead take them to the world’s greatest meme. But where you can really weaponise this is by setting up an HTTP redirector on a domain you control. If you have the link spoof a trusted website but point to your redirector, have the redirector initiate a malicious file download before 301/302ing the victim to the trusted site, it all looks (to the victim) like they clicked on a link to the trusted site and they land there where a file download gets initiated.

No need to hijack domains, buy similar domains to the trusted domain, etc.

How Can You Fix This?

Authentication via URLs is dated and dumb and should be blocked at the network level. Whatever you’re using to constrain access to sites and services should block these requests. You’ll probably want to test this in monitoring mode as in an organisation of any size and age someone/something is probably still using this mechanism for reasons.