Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Decoded URL in error text makes 404-page phishing very easy #3997

Closed
harshjv opened this issue Jun 20, 2017 · 0 comments
Closed

Decoded URL in error text makes 404-page phishing very easy #3997

harshjv opened this issue Jun 20, 2017 · 0 comments
Assignees
@magik6k

Comments

@harshjv
Copy link

harshjv commented Jun 20, 2017
edited
Loading

Version information:

go-ipfs version: 0.4.9-7ea34c6
Repo version: 5
System version: amd64/darwin
Golang version: go1.8.1

Type:

Bug/Enhancement

Severity:

Medium

It is a critical issue for apps deployed on IPFS and uses IPNS to resolve multihash through a TXT record.

Description:

Aragon dApp is deployed to IPFS and we are accessing it through IPNS (gateway.ipfs.io and a TXT record.)

Now, consider this URL: https://alpha.aragon.one/%0D%0A%0D%0AHey%20there%2C%0D%0A%0D%0AIn%20order%20to%20use%20this%20application%2C%20please%20deposit%201%20ETH%20to%20this%20address%200x7Ee9687dcD25D4fC206a2724071eC313ea43e961%20and%20then%20refresh%20this%20page.%0D%0A%0D%0AThanks%2C%0D%0ATeam%20Aragon%0D%0A%0D%0A%3E%3E%3E%20sudo%20boom%20--verbose%20%28please%20ignore%20this%20error%20if%20paid%20already%29%0D%0A%0D%0A

Output
ipfs resolve -r /ipns/alpha.aragon.one/

Hey there,

In order to use this application, please deposit 1 ETH to this address 0x7Ee9687dcD25D4fC206a2724071eC313ea43e961 and then refresh this page.

Thanks,
Team Aragon

>>> sudo boom --verbose (please ignore this error if paid already)

: no link named "\r\n\r\nHey there,\r\n\r\nIn order to use this application, please deposit 1 ETH to this address 0x7Ee9687dcD25D4fC206a2724071eC313ea43e961 and then refresh this page.\r\n\r\nThanks,\r\nTeam Aragon\r\n\r\n>>> sudo boom --verbose (please ignore this error if paid already)\r\n\r\n" under QmZuxYkEyTgmVTr6xhZBdpbHunDbDtZ9UPa27uiuGkrtVj

Instead, it should print the original URL in error text.

Google (for example)

http://google.com/%0D%0A%0D%0AHey%20there%2C%0D%0A%0D%0AIn%20order%20to%20use%20this%20application%2C%20please%20deposit%201%20ETH%20to%20this%20address%200x7Ee9687dcD25D4fC206a2724071eC313ea43e961%20and%20then%20refresh%20this%20page.%0D%0A%0D%0AThanks%2C%0D%0ATeam%20Aragon%0D%0A%0D%0A%3E%3E%3E%20sudo%20boom%20--verbose%20%28please%20ignore%20this%20error%20if%20paid%20already%29%0D%0A%0D%0A

Output
The requested URL /%0D%0A%0D%0AHey%20there%2C%0D%0A%0D%0AIn%20order%20to%20use%20this%20application%2C%20please%20deposit%201%20ETH%20to%20this%20address%200x7Ee9687dcD25D4fC206a2724071eC313ea43e961%20and%20then%20refresh%20this%20page.%0D%0A%0D%0AThanks%2C%0D%0ATeam%20Aragon%0D%0A%0D%0A%3E%3E%3E%20sudo%20boom%20--verbose%20%28please%20ignore%20this%20error%20if%20paid%20already%29%0D%0A%0D%0A was not found on this server. That’s all we know.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@magik6k magik6k

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@whyrusleeping @harshjv @magik6k