luna the deer

@BappyDeerHooves

o

it/its

// the deer!
// plural deer therian θΔ, trans demigirl
// stray pet with a keyboard
// i'm 20 & account is 18+!
name-color: #ebe41e
// yeah

github

github.com/l-Luna

luna the deer @BappyDeerHooves5/17/2023, 10:31 AM

♿︎｜Asriel // Azi｜Θ∆｜🏳️‍⚧️@MisutaaAsriel

cat @catball5/16/2023, 9:43 PM

This is how I found out Google has .zip TLDs now

Saw this in a discord

Also note that the malicious URL uses a homoglyph slash that's not a real slash

#zip #tld #zip tld #malicious urls #security

cat @catball5/17/2023, 12:59 AM

here's the article about this phishing fun:

https://medium.com/@bobbyrsec/the-dangers-of-googles-zip-tld-5e1e675e59a5

Shoutout to @ireneista for finding the source :eggbug:

#phishing #zip #zip tld #malicious urls #security

Cay @caymanwent5/17/2023, 7:25 AM

Can someone explain to those of us who might be at risk from this what the hell a "TLD" is?

♿︎｜Asriel // Azi｜Θ∆｜🏳️‍⚧️@MisutaaAsriel5/17/2023, 8:35 AM

A TLD is like a web address' "extension"

Just as files have .zip, .bat, .jpg, .exe, etc. so to do websites have Top Level Domains.

.com, .org, .gov, .co, .jp, .net — these are all examples of TLDs.

These are used to differentiate what and/or where a website is from and/or for. So you know website .org is from an organization, whereas website .gov.uk is from the UK government.

The risk here is TLDs that look like file extensions can result in maliciously named websites appearing like a legitimate website with a download.

In the example above, to clean it up so it's legible and give you the answer, one website is:

github.com

…but one is:

github.com／kubernetes／kubernetes／archive／refs／tags／@v1271.zip

Do you see the issue? If you don't, the fake website uses symbols that are almost indistinguishable from a normal forward slash as part of the name.

Your average netizen is used to the format of a URL being: website-name[.]TLD[/]subpage[/]subpage…, so if those slashes are baked in to a legitimate looking address, and it ends in a TLD like .zip? Users can be manipulated into being phished or downloading malware when they thought they were visiting a legitimate download.

Think like a super next-level version of using an I (i) as an l (L) to fool users whose font draws both as lines into visiting a fake site. Threat actors can craft unique URLs which look legit, but use alternate characters which mimic one's you expect (like forward-slashes) to be part of the name itself, before the TLD.

#Nerd Talk #Threat Assessment #TLDs #top level domains #tld #Top Level Domain #infosec #information Security #phishing

You must log in to comment.

in reply to @catball's post:

mint @mintexists5/16/2023, 9:46 PM

this is a very good idea

vaporware @vaporware5/16/2023, 9:56 PM

ooo nooo

Tamber @tamber5/16/2023, 9:58 PM

it's amazing just how many times in this last month I've had my head in my hands and gone "aw, fuck, this is going to be such a mess..."

Elizabeth @woebetide5/17/2023, 3:54 AM

everything is awful 🙃

in reply to @catball's post:

andi @mcc5/17/2023, 3:54 AM

Maybe windows machines should just be configured to block .zip URLs

cat @catball5/17/2023, 4:37 AM

honestly that would be great, then maybe no one will ever wind up putting anything useful on a .zip address

signal eleven @widr5/17/2023, 8:40 PM

when google bought those TLDs in 2020, i think that was the original intent. unfortunately probably none of those people still work there today

cat @catball5/17/2023, 10:44 PM

lmao. honestly. god, anything to wring out another penny i guess

signal eleven @widr5/18/2023, 5:49 AM

a classic Type Of Guy Who Hasn't Left Google Yet

in reply to @caymanwent's post:

ISO standard fire lizard @wolf-apparatus5/17/2023, 7:35 AM

it's the ".org" part in "cohost.org". so google has made it so that now you could, for instance, make a website called "cohost.zip" whereas previously you could not. infosec nerds like me think this is a bad idea since now "cohost.zip" could mean something on your hard drive or it could mean something on the Internet, they don't have to have anything to do with each other, and the separation between those two isn't nearly as good as people would like

the specific attack being referenced here is that one of those URLs is the file "v1.27.1.zip" under "github.com" (and a bunch of other path junk), and one of them is a website called, in its entirety, "....tags/@v1271.zip", which is completely unrelated to github and could be malicious.

Cay @caymanwent5/17/2023, 7:56 AM

Thanks for your insight. So for the average internet user (like me), this just means clicking on a link for a website can instead just redirect to download a .zip file from an external server? I still don't know what a TLD is.

ISO standard fire lizard @wolf-apparatus5/17/2023, 8:22 AM

well, out of the whole URL for this post, "https://cohost.org/caymanwent/post/1511573-can-someone-explain", the domain name is "cohost.org". it identifies the computer system that is cohost; any time you go to a link that starts with
"https://cohost.org", regardless of what comes after that, it goes to cohost's servers.

but the domain name is actually split into two parts, "cohost" and org", separated by a dot. you kind of read them in reverse, so of those, "org" is the top-level domain, or TLD, and "cohost" is a subdomain of "org".

what this means is to be able to have cohost at "cohost.org", the people who make cohost had to go to the people responsible for "org" and ask "hey can you make it so that when people ask for "cohost.org", they get our computer". if they wanted "cohost.net" instead, they'd have to go to the people who do "net".

a crucial part of this whole system is that the people who run "org" have to exist. you cannot go and ask for a website at "cohost.flarble" because nobody's set up a top-level domain at "flarble" (it's an intensely bureaucratic process, as i understand things).

now google has decided they want to be the people who do "zip", so you can go ask them to put your computer in there at "cohost.zip". this, combined with some other things, creates ambiguity.

basically, there's another bit of trickery you can do to "hide" the stuff that's supposed to go after the domain name in a web address from web browsers. so the "bad" link in the original post actually starts with "github.com/kubernetes/kubernetes/...", to make it look like you're going to "github.com", but the slashes in there are actually Funky Different Slashes that the browser doesn't pick up on, and then the "@" tells the browser, in effect, "ok now throw all that out and here is the actual domain name", which is "v1271.zip".

so if you click the second link from the original post, you go to the website at "github.com" and download the file called "v1.27.1.zip". if you click the first link, you go to the website at "v1271.zip" and do... well whatever the person who bought "v1271.zip" wants, really. and, as you can probably tell, they look almost identical.

and previously this was completely impossible, because you could not put a website at "v1271.zip".

ISO standard fire lizard @wolf-apparatus5/17/2023, 8:28 AM

oh, and a sneaky little extra problem: see how "https://cohost.org/caymanwent/post/1511573-can-someone-explain" at the start of that comment is a hyperlink? I didn't do anything special with formatting to achieve that, it's just cohost knows when you type "https://", some words, and ".org" that it's probably a link because "org" is a valid top-level domain, so it makes it into a link.

some systems are more aggressive about doing that and won't require the "https://" at the start; i.e. they'd turn just "cohost.org" into a link. now, once they hear about ".zip", they'd start doing that for it as well, so you text someone "hey I finished up that design work it's in eggbug.zip", intending them to grab it off a physical thumb drive or something, but then they see a link to "eggbug.zip", misunderstand what you meant, and go to whatever website someone's managed to put there instead of checking the thumb drive.

Great Joe @Great-Joe5/17/2023, 7:46 AM

financialstatement.zip

Cay @caymanwent5/17/2023, 7:56 AM

This doesn't really explain anything for me, someone who doesn't do any sort of tech development.

Great Joe @Great-Joe5/17/2023, 5:42 PM

It means that anyone can register a URL that ends in .zip, like the compressed file format, and services such as WhatsApp that convert any word with a period in it into a link will just link people to it. Imagine a grandma getting sent just the text "familyphotos2024.zip", her clicking on it, and suddenly being sent to a phishing site, or a virus.

Pinned Tags