www.PhishingAttack.zip
Vložit
- čas přidán 23. 05. 2023
- Google releases new internet extensions, including .zip and .mov - which are already two common file extensions.
Watch the full WAN Show: • I'm sure you have ques...
► GET MERCH: lttstore.com
► LTX 2023 TICKETS AVAILABLE NOW: lmg.gg/ltx23
► GET EXCLUSIVE CONTENT ON FLOATPLANE: lmg.gg/lttfloatplane
► SPONSORS, AFFILIATES, AND PARTNERS: lmg.gg/partners
► OUR WAN PODCAST GEAR: lmg.gg/wanset
FOLLOW US ON SOCIAL
---------------------------------------------------
Twitter: / linustech
Facebook: / linustech
Instagram: / linustech
TikTok: / linustech
TikTok (LMG Clips): www.tiktok.com/@_lmgclips_
Twitch: / linustech - Věda a technologie
If I were an IT admin for a school district or employer I’d immediately block these tlds. I don’t see any reputable organization ever seriously using them
I'm running OPNSense at home, so I'm stealing this idea, thanks!
Exactly. Most IT-security CZcamsr also suggest it as the best thing you can do
And non-standard unicode characters
I am buying one for myself...
@@bosstowndynamics5488 If you ever figure out how to block these on OPNSense please let me know. I want to block them on my company network, but afaik it's not possible to block TLDs with unbound on OPNSense
This should be an LTT video. It's a legit security concern and spreading the word is only right. Ideally with some further research and comment from whoever came up with this
Yup, for real, this is a much bigger problem than what might first be on the surface
@@AlphaYellow Actually it is a much smaller problem to the point where I'd say it's a non-problem. RTL override is already a far mightier tool to trick people into clicking links that look like something else
These domain extensions can't go wrong at all
why ?
*dumb ways to die*
A .html is a file. Thats what the 404 prompts are.
@@Idiomatick yeah I was gonna comment that the subject for this video is just dumb, guys do more research, y'all do so much research for main channel videos but then stream is this bs
@@Idiomatick Maybe, rewatch the video.
The scariest part is that simply typing the name of a file will now auto-link to malware in many programs and services. This doesn't even require phishing or social engineering anymore.
Just mentioning a file in a chat with someone you know can be enough.
So... your concern is that someone is going to post a link to a website that looks like it is actually a file, and then people will get tricked into going to a website ... which could potentially contain a malicious file.......instead of directly going to a file?
How would this ever be dangerous?
@@Idiomatick are google fanboys really this stupid?
@@Idiomatick No, the concern is that all mentions (even retroactive mentions) of .zip files are now clickable. Including any and all business emails/communication even between all official business contacts.
If you don't see how this isn't a massive issue then please don't try to hold any position related to security ever.
@@Idiomatick I think it's down again by now but 42 dot zip for example is a famous zip bomb, someone registered that domain and put the zip bomb on there. Given it's not that big of an issue these days but the mere mention of 42(dot)zip was linking it on like here, youtube.
@@television9233 On phones, it is even more problematic. Because inadvertent taps happen.
5:45 - Even worse is that most companies use 3rd-party "safelink" tools that obfuscate the links even further and make it 10x as long, making it virtually impossible to find the @ symbol in that mess.
Safelink scans the domain and not theuser info, also many safe links companies will only display the domain name - such as Trustwave
@@phantomlordmxvi but doesn't the .zip domain make it easier to even confuse people who are tech literate I get that this is a whole browser thing about how to handle Unicode and all but the .zip situation ain't helping 🫠
@@manankataria yes because beside the @ symbol it looks like a legit download link for maybe a release or a whole repostory etc
@@manankataria i also still don‘t get why that unicode character is even allowed in an url by any browser even trough this has been known for years now
Safe Links is part of Microsoft Defender for Office 365.
At least Outlook and some other e-mail clients now display the original URL when you hover over a Safe Links URL, clicking or copying the link still brings you to the Safe Links version. Organisations can also create policies to control when URL’s are “Safe Linkified” or not, for example: domains for internal company resources can be excluded to speed up access.
The only justification I can think of is money. Bad actors will want these domains to run those exploits and they'll have a high turn over rate as they get reported and removed and have to buy new ones. It's a malicious money printing machine lol
Over 3000 have already been registered most of them are very obviously mimicking file names and some are already phishing or spreading malware
The exploit with the @ symbol has nothing to do with .zip domains
@@phantomlordmxvi Yes and? It's both of these in combination that is the real danger. The @ symbol has been a thing for a bit, but so far, isn't AS useful as it can be (to these malicious actors). When it is a domain like .zip or .mov, like the example given by Luke on the show with the Github link, it is EXTREMELY dangerous and easy to fool most people because like he said, you look at the beginning and the end of the link. If you see .zip or .mov at the end, you know it's a file. Or you think it is, because there might be that @ symbol there. It's just a mess honestly
@@phantomlordmxvi That ain't the point, my dude. That's just one of many possible exploits.
*puts tinfoil hat on*
I think its cause Google is trying to attempt to commandeer those file extensions. They make these domains available, people learn to not trust those extensions and it obfuscates their purpose, Google introduces new compression and video format/extensions, Google now controls more of the computing space (ie like their AMP for mobile)
I am convinced that Google is the most incompentent tech giant
I'm convinced this is deliberately malicious. They'd love to make a lot of ad sense money off of malicious ads that do this.
With all the scam ads on CZcams, I wouldn't be surprised if this was true
@@futuza I also think this is true, this is a sad world
@@futuza Remove they silently removed their slogan "don't be evil"
You should really look into what Meta's been up to, they're the most incompetent by far. But these TLDs go a long way too.
damn it google, even I as a software developer would get easily tricked by this.
The problem with the @ symbol has nothing to do with .zip domains!
It's possible with many (all?) domains
@@phantomlordmxvi Don't quote me on this but from what ive seen/read the problem the .zip domain is people could see it as a download link and not a separate domain.
@1:50 in the video the link shown would be a github zip file download if it didn't have the @ symbol.
@@phantomlordmxvi It's two problems coming together; an old exploit and a new TLD that becomes a new, much more effective vector for the old exploit.
Edit: Also, stop making this reply to every single comment, jesus. We should not be trying to assuage concerns that are entirely warranted, with irrelevant counterpoints.
@@phantomlordmxvi Yes, and that's why browsers have been dropping support for it over the years. They dropped support for FTP and will now drop ALL support for the @ syntax. But that will have zero effect on domains that are common file extensions.
@@theassassassin2570 This is definitely a valid concern, I don't deny that.
But it's not the way they explained it, they directly conflated the @ exploit with .zip domain, which is wrong.
And looking by the comments, it seems like most people that watched the clip understood it like that, which is also dangerous, as they may block the .zip domain and then think they are save from the exploit.
File extensions that can contain executable code(exe, .app) or are defacto standards (pdf, zip, xls, docx, etc) should all be reserved for safety. Don't even open this door!
fyi images can even carry malicious code. you're right though.
Its ugly but it isn't a security issue at all.
Why tho? Who cares, accidenly opening a malicious website is normally less dangerous than opening a malicious file
@@UndercoverDog do you know how LTT got hacked?
@@baconwizard their session got stolen through an installed malware
Can't wait for them to register .docx .xlsx and .pptx
And .pdf .png might as well add .jpeg to the mix 😢😂
It gets even better: CZcams channels have the @ in the URL. So you're not just looking for the @ (which can be legit) but for the @ in combination with a TLD. Now imagine if someone managed to get .html as a TLD...
It's the "fake slash" that makes the @ symbol thing actually work. You're not allowed to have a slash in the username portion of the URL (if you do, it won't be considered a username anymore but a path). Browsers should just block any link that has that fake slash in there with a warning, and nothing should make auto-links with the .zip domain.
Instead of 'marketers', can we just call them sales weasels now?
Haha this is marketing not sales, we don’t claim those guys😂
@Peels Oh right. One group misleads customers to make sales, whereas the other group misleads customers to make sales. I got them mixed up. My bad.
Marketers has no common sense these days
3:52 "How did no one look at this?" It's simple. This is what happens when management is positively clueless about the thing they're managing, and either no one is willing to say, "Hey dumbass, you can't do that," or someone did say that and they were ignored. From the description Lines read from Ars Technica, I'd say that someone in Google management had just come back inside from leading new hires through trust fall exercises, and was about to have a meeting about synergy, when they had this bright idea and rammed it through without talking to someone who actually uses the Internet.
2:35 The slashes in the url are a unicode replacement that just look very similar in most fonts this is also important because the "at" symbol wouldn't allow them before the hostname. The feature itself is for legacy http authentication where username and password would come before the hostname. This would have worked even before (with other TLDs) even though it might be less convincing. this is one reason to look at the bottom left corner where the link actually leads to because browsers will show the correct location.
EDIT: Made a mistake where I wrote html instead of http.
The dumber part? Someone made a ticket for this on the Chromium bug ticket system... and Google said they wouldn't fix this.
Great job, guys!
@@FlameSoulis It also goes back to the entire unicode in urls conversation.
The issue here is really with the standard, the username password part is still part of the RFC and unicode is also standardized in pretty much every browser (even non chromium).
This is a much broader problem that isn't unique to chromium.
Yeah, this is IMO way less bad than what Linus and Luke are saying: The problem isn't the `.zip` tld. It's that browsers haven't fully agreed upon on how to prevent misleading unicode in URLs. Complaining about the the .zip domain is honestly just hurting the discussion, since it focuses in the wrong area.
ah yes us weebs are extremely knowledgeable people
@@manankataria The example given in the video ends with a .zip so it might be more obvious there. But even with an @ you can still add a path after the hostname therefor hiding the separator in the middle of the URL. If people only check the first part of the URL (which is something even many tech enthusiasts do) they might get tricked even without .zip. It might be a bit worse now with the new tlds, but I honestly don't think by much.
The fact that many filenames like in email attachments are now links is probably a bigger problem.
Actually, disregard anything i've ever said, _this is a great idea._
Make .pdf, .doc, .rar, and .dll domains too!
PDF because what's more portable than a website, DOC for doctors and medical services (unconfusable), RAR because rawr uwu, and DLL for download sites!
Thank you Google, for being as brilliant as the center of the galaxy! I really appreciate you guys just being smart! :D
"RAR because rawr uwu"
lol thank you for the laugh
GREAT! Now when a business insists on PDF format only you can send them to a website.
Brilliant solution to dumb. No way it will create more dumb.
Executives also need a domain too! Something like .exe
@@TheHackysack that bit got me too 😂😂😂
DLL DownLoad Location.
Google should not be able to do this. Wtf even is the point! This is not ok.
ICANN is not fit anymore for managing TLDs. We should threaten to replace ICANN if they don't revert the move.
Seriously this is so messed up, this is literally malicious and evil.
I'm still baffled why a company is allowed to create TLDs at all. WTF did ICANN and IANA lose control of that and individual companies be given the authority to make new ones? 🤨 Microsoft will definitely create windows, bing, cortana, halo, etc. TLDs, Apple will make ios, ipad, imac, isuck, etc. Facebook will make meta and such, Ford will make escort, taurus, (other Ford models from more recent than 30 years ago), and so on. This is insane. 🤦
I remember long ago, someone said "break the wall down, join Google!" And I got downvoted to hell for commenting "what happens when Google becomes the wall?"
....some warnings come so soon by the time you realize what they were saying its impossible to turn back....
Luke is right on there with blocking these. We blocked these at our company, literally the day it was announced. I don't know how anyone responsible for security or system integrity could have thought this was a good idea.
How do you block them? I'd like to set it up on my family's computers.
@@flameshana9 I was just wondering the same thing. I want them blocked too but I've never done that before.
Something needs to be done about the Chromium team. First Jpeg XL and now this. They clearly don't consider the health of the internet in their decision making.
Oh yeah, and they also wontfix-ed the @ symbol thing. Firefox gives you a warning if you try to go to that link, Chromium does nothing
Google's business comes so much from scams, that it makes sense for them to help scammers.
This is exactly the reason. Google will get paid from every domain made on the TLDs and that’s more money from them
What scans exactly are you suggesting they directly profit from? Be explicit
Just have ads enabled on CZcams and see how many scams pop up come up, free robux free shark cards and GTA V for Android phone i see A LOT as ads on CZcams.
But a ad for Right to Repair is bad, this goes too far.
Google seem wanting to benefit directly from scammers.
@Pharya, there is a reason scammers want Google Play cards most of the time
I hope someone makes a chrome extension or something that will highlight a .zip or .mov URL red so I know when it is a URL and not a file. I'm very tech savvy, but I can totally see myself getting got by this
There is 26^3 possible combinations for TLD names. Even excluding all the used ones, and those used by common file extensions, that's easily over 10k possibilities.
And this is when you limit yourself to lowercase English, and 3 characters.
There was a functionally infinite number of possibilities, and somehow they picked the single worst option.
They could have gone with zyp...
Canon have ".canon" as a top level domain, I don't think there's a character limit.
@@Zayfod there isn't, minimum is 2 characters (most country TLDs), but you can have pretty long ones - longest one I could find on wikipedia is .cancerresearch - almost anything can be used as a TLD these days, would assume that profanity would isn't able to be used for TLDs, so probably no .shit or similar addresses out there.
It's more than that. Soooo many more than that.
.world
.tech
Etc etc. And you have all the 2 digit domains
Two very commonly used file extensions are now also domain addresses? What could go wrong! ThioJoe made two good videos about the zip extension. One thing he mentioned is that some sites that automatically create links from text they think are webpage domain link text, have started to do it with the zip, so if you have text with dot zip in it, it might automatically be changed to a link when it, which is a big problem as you could easily see some of these converted text, now being links redirected to who knows where by some hackers/scammers.
Yup, Joe will probably end up thinking of more issues and put out another video. I already posted more issues in the comments to both videos and again more here. It's like the meme of "fractal stupidity" where it gets dumber the more you think about it and the deeper you go. People just keep coming up with more and more ideas of how it can be abused, and we're the good guys. Imagine what the bad guys are up to. 🤦
When trying to access such URLs, Firefox warns that someone may be trying to scam you. Chrome seems to just redirect you to the potentially scam website. No idea whether this could be worked around of not though.
been watching ltt for at least 5 years now. love the wan show as well, great to find out what's going on in the industry and to get some opinions on topics to challenge or strengthen my own. always enjoy watching you two (and dan), one of the things i look forward to every week
Thank you for calling this out, as it should and needed to be. Would you please consider creating more of a consumer, PSA-style warning about this? While it might not be a traditional LTT-style video, it can serve to be shared and disseminated quickly. I can tell you that if you would be willing to do something like this, both our ISP and ASP arm would promote it and send it out directly to all of our clientele and their customers.
Google should be help liable for any damages that arise from this, mostly because they know and knew better. This was just an arrogance and omnipotence move.
What they explained is misleading.
The "attack" using the @ symbol has nothing to do with .zip domains.
@@phantomlordmxviAlthough it might make them easier, which is at least part of the problem.
You want a PSA for basic security of hyperlink clicking? I personally always glance over the URL
But Google doing this is crazy stupid - The "Do No Evil" motto is dead. Honestly Linus's short handed accusation of fucking with Apple is just right...
@@phantomlordmxvi Sure, but it makes it look a lot more convincing.
Wait until you hear what ICANN's response was about why they approved it: "Nobody types file names into the location bar"
Reminds me of their bogus justification for not adding JPEG XL support.
3:01 the @ sumbol can also be font size 1 and white so it could be even harder to identify these
Most of the blame is on ICANN for letting this through. Google are just making the TLDs more publicly available by selling them directly.
The problem with those of us that are Savvy and Beyond is that we have such an automatic workflow sometimes.
We are going to get caught just in basic muscle memory.
I could even see an overlay security function built into the browser or something like that where we are queried when attempting to click any kind of zip link. This is a ZIP file, is that what you want? This is a domain link is that what you want?
create a uBlock filter for *.zip and *.mov, itll do just that
In that case you'd already be got by "regular" @-exploits. Literally any hyperlink you click on any website could be such an exploitive link
I imagine browsers are going to build in safeties for this. Anytime you access one of these sites with a "tricky" url with an @ symbol or something, it will pop-up with a warning before *actually* navigating to that domain/making any requests.
Google has already said they won't
Edit: sourced from another user who put in a bug report about this
Ironic that in the case of chrome, that would be the same company who intentionally created this to help scammers who pay them unfathomable ad revenue.
I don't know why everyone keeps bringing up @. What does @ have to do with the url?
I'm pretty sure firefox does, since it has a website login popup, asking if you want to log in using the url
I'd prefer tld ban instead of @ ban
just make it painfully obvious that this isn't allowed even if internet overseers think it does
To solution is going to be blocking those TLDs at the DNS level.
The solution is to not do what Google have just done. 😂
Maybe at the root DNS level. But many people use Google DNS and would still be vulnerable.
It would be great if you could do a PSA for this on LTT
And Tech Quicky
yeah this is potentially a pretty massive issue for the internet as a whole. more people need to be made aware
“How did no one see this as a problem”
Literally
Not to put on a tin foil hat here, but I refuse to believe that Google is capable of this level of incompetence.
It's got to be some higher up manager or board member or whatever who has no idea and just thought something like "why are we just sitting on these tlds, we can sell these domains for more profit"
The thing with the @ symbol has nothing to do with .zip domains.
They have the .meme TLD for many years now and aren't using it.
Believe me, they DO have that level of incompetence.
@@phantomlordmxvi Please elaborate.
It's malice. 100%.
The reson for the proposal of zip tlds is the assosiation with file storage, since in the 1990, there were zip-drives....
I am not kidding!
I find it funny how in the announcement they start every point by saying ".Foo is a secure domain for ..."
None of these are secure, especially .Zip and .Mov
Google's explanation: "Tying things together or moving things really fast" and "moving pictures and whatever moves you".
Who the heck speaks like this when describing something to a general audience, without any context? No, seriously, does it even mean?
"What is that even supposed to mean?" Was literally my first thought too when Linus read it
@@thatradioboy maybe Google's actually been taken over by a malicious AI, and this is their first move to establishing Skynet
Back in the day, we used to go to the theatre and watch moving pictures for a nickel. Charlie Chaplin was quite the handsome gentleman caller
This just will make it harder to search for specific files
on the topic of providing scammers with tools, who the hell thought browser notifications are a good idea?
Less tech savvy people think they need to click allow on any site they visit to access it and then they don't recognize where that "open now to remove virus" notification came from.
I've received this phone call enough times that disabling all browser notifications is the first thing I do on any smartphone for an older family member.
We don't need browser notifications, who the hell thought this is a good idea.
I use them, but only for communication websites like Discord (in browser) or other times where getting notified is useful.
Or am I mixing things up?
@@bengineer8 If you like getting notifications on PC I guess, on a phone people just use an app for everything anyway. I'm sure someone would also find a .zip website cool but I think we have to make certain sacrifices because of bad actors.
Pc notifications are the bane of my existence, browser or desktop i do NOT need to be notified of anything when im on my pc lmao, why tf would you use discord browser? dl the app god damn
@@Knifykat Sometimes I just don’t feel like downloading it or am on a borrowed device.
Apparently Firefox asks you if that is a site you want to visit with a pop up, but that is still not great because a lot of people just click through such boxes without realising it.
moving pictures, sounds like someone at google is a Terry Pratchet fan
Those domains are the embodiment of "I serve no purpose"
...other than malware
If they wanted movement, they could've done dot move, or if they wanted movies, they could've done dot movie.
I work in a SOC and I'm about to quit ngl this is going to be a legit nightmare
"Looks good to me!" -Black Hats, definitely
browser link abstraction, unicode lookalikes for slashes, and @ in links are the enablers in this situation
At least firefox has a beautiful solution to this. "You're about to log into . Are you sure?"
2:40 The CZcamsr ThioJoe explains this in more detail in his video 'Google Did Something REALLY Stupid - Protect Yourself!'
I love seeing all of the tabs open that they plan on talking about lol this channel is all about clips and for the WWAN show a clip is about 30 minutes. Great show and great content everyone lol
Linus keep setting off my link bar with the "ok google" starting hahaaha 😂😂
Don't forget y9u can just use a bitly link to hide it entirely too 🙃🙃
I have already set my AdGuard Home to have a blanket block on all .zip and .mov URLs. Literally the only way to try to protect yourself and people on your network from all the malware this is gonna bring on.
you should also block russia, china, afric and india to protect yourself
What makes this even more stupid is that IANA who releases these domain TLD’s also keep the records for media types (Formally MIME Types)
Edit: to update the name for MIME Types
I've been scanning my URLs for years because a friend got dunked with a phish that used the same scheme it was a "PayPal" link to pay for something that he wanted that looked fairly legit but the full url used that trick to steal his login info.
Google, might I remind you of the COM worms in the 90's and early 2000's?
It’s not just the @, that symbol after a forward slash no longer means username, those forward slashes are unicode characters that look like forward slashes
There's already a chrome extension to block both domains, well done internet.
I heard they are planning `.pdf` next
/jk
I almost want to see them try just for Adobe to retaliate somehow.
I can honestly see Adobe and Microsoft going and claiming the domains of their typical file extensions and then just never releasing the domains for them
It isn't just the @ symbol, it's also that the slashes has been replaced with similar unicode characters.
Zuko: Thats rough buddy.
This is an absolute nightmare.
If I type something that's not a URL into my browser's search bar, it instead performs a Google search which I find very handy. As someone who likes tinkering with software, I sometimes find myself searching for specific file names.
I'm decently computer-savvy, but I can absolutely see how, tired or distracted, I could fall victim to this. It's a tremendously bad idea.
That is on you though, not on anyone else
Fact of the matter is that browsers like Firefox interpret the escape sequence for special characters like @ and " " as their special character version. So looking at a URL @ and its escape sequence will look exactly the same.
0:00 the "okay google" enabled my Google assistant
there are already some malicious zip files that now have a domain that will auto download a file that is malicous. Some email programs (mac mail) are converting existing .zip items in even past emails are going to see this.
I am in IT and deal with cyber security issues all the time and this is going to be fun to deal with as well!!!!!
Links with the @ in them were a big thing in 90s in scam emails.
100% everyone is vulnerable to this.
fuck me getting people at my company to look out for this is gonna be a pain in the ass
I like how google said ".com was a file extension too, so it's happend before" YEAH in a time where nobody had internet and had windows 3.11
This is what happens when the marketing department makes decisions and completely ignores the recommendations from the experts. Because marketing always knows best. So I'm guessing engineers at Google did stand up and say this is dumb but we're over ruled.
"okay google" at the beginning
thanks for that bro
It can’t be that someone at Google looks at this and be like: that doesn’t seem dangerous.
Watching him show in real-time how crap Google search is now was fun. That's me trying to find basic things, and the last time I searched something on CZcams it gave me random videos from corporate news channels and then a section of entirely different and unrelated videos and people I'm subscribed to.
Think about hyperlinks in emails… it doesn’t put the domain
It's made even worse imagining how many people were involved in the creation of these TLDs that didn't think about it, didn't think it would be a problem, or been stonewalled by people who didn't think it would be a problem.
Is there a petition to undo this anywhere and can I sign it more than once?
Starting the video off with "OK Google" made mine and probably many others phones pop up with Google assistant 😂
as mentioned by the floatplane chat, it's not just the @ (for username:password stuff, can be used if your say connecting to an ssh connection)
it also abuses a Unicode character which is very close the backlash which is called the *Division Slash*
can you tell the diffrence with this */* (Unicode 2F) (punctuation slash, the normal one) and this *∕* (U+2215) (Division Slash) and *⁄* (U+2044) (Fraction slash) and */* (U+FF0F) (Fullwidth Solidus*)
*the alternate name for slash is Solidus
the reason this matters is because the @ only works as login info if it's before any site info (username:password@domain)
so they use the slash/Solidus look a likes so it seems to be a domain but the browser just looks at it as not a domain (with the domain part coming after the @ which is then abusing the .zip TLD (top level domain))
@@aceae4210 One of the most common fonts people use is one where I looks the same as l.
@@aceae4210 But this has nothing to do with .zip domains. This "attack" is possible with most/all domains.
Uggh you started the video with “okay google” 😂
My Google home woke up at the begining of the video. Scared me out of my seat
Google Partner since 2008 as a GAAC, I've been around longer than most employees. There's some chaos there right now, and the Fold bezels...and this, and Ads was down last night for a bit, and search is corrupted with ads, bard isn't performing, the actual f.
what the heck is bard even? i've been using claude and while it's no gpt4, it's been decent so far
@@aliasonarcotics I'll have to check it out, every week has a whole process of vetting to explore now.
I said this elsewhere, browsers must start showing the actual domain a link points to when you Hover over it. But that Does nothing for copy pasted text unles they add this step before confirming, or just have sus detector all the time
The sad thing is:
1) They know exactly what they are doing.
2) They know that no matter what lawsuits/fines come their way, this will still be a profitable endeavour.
3) They know that the consumer does not have the power to stop them.
Extra kicker: They can use a special character that looks almost exactly like a /, so it even becomes less obvious...
Luke is right, this is going to trick so many people. Even tech savvy users.
You can also make the @ symbol font size super small so you don't even see it.
This is a nightmare. Please help us tell Google this isn't okay.
So has that @ thing always been there or has it been introduced alongside these new tlds?
What does the @ mean now, I thought it was associated with email adresses not website domain links?
i think the best way to stop this is if windows has it baked into defender to block those specific domains. but i dont see why microsoft would want to go against another company of its size
how do you choose three letter abbreviations for your domain that already exist and are still very commonly used? how do you imagine that is a good idea, even if it isn't a massive security risk?
All major search engines have fallen off with usability.
The @ symbol issue is actually stupider than mentioned here because legitimate URLs can have an @ symbol.
If the symbol is after the 1st forward slash (/) then it will function as a normal part of the path and not link to the .zip domain, the problem is that these malicious links don't use forward slashes, they use a unicode character that looks almost identical to a forward slash.
Not a new thing by the way. Combine that with the rtl override character and you can make "file urls" already
Google: "Don't be evil."
Also Google: "Just be dumb as a rock."
Remember how Google dropped its old motto of "Don't be evil"?
remember when google HQ was in my city and was kinda proud of it.
Google really has gone of the deep end this time.
What the hell were the people thinking who thought of this. First thing I'm doing is blocking these domains permanently.
MOVs for anything to do with moving pictures, ZIPs for speed.
the worse thing is you can make the @ very small so that you don't even see it
line cable's up as sponsor word at 6.45
The security business kraze has made it to LTT... ^^
The ok google at the beginning activated my speaker and I almost shit myself.