Google recently announced the .zip TLD (Top-Level Domain) is now available for purchase, starting from $15 a year.
This is really cool, but it has a major problem. ZIP files are really common URL's, and this TLD allows for the exploitation of a really obscure, deprecated HTTP functionality.
The Big Issue
Take a look at these two URL's. Which one is legit?
https://microsoft.com/vs-code/2023-05-20.zip
https://microsoft.com/vs-code/@2023-05-20.zipIf you said "the first one", well done. However, would you have noticed the second one at first glance?
The issue is the "@" symbol in the URL. The @ symbol allows for URL's to contain username and password information before the URL, in this style:
username:password@example.comYou see the issue? The "/" characters in the URL aren't actually / characters, but an entirely different Unicode glyph that most fonts render identically to the /. This means that the URL:
https://microsoft.com/vs-code/@2023-05-20.zipSends "https" as the username and "//microsoft.com/vs-code/" as the password to 2023-05-20.zip. This means that a hacker could purchase a domain and have at it.
(I checked 2023-05-20.zip, and it's available for just £13 a year)
A user would likely not notice the @ symbol and think that the URL is legit.
How To Fix It
There are two solutions to this problem: vigilance, as well as an optional nuclear option.
Vigilance
Before you click on a URL that claims to be an attachment, check for the @ symbol. If there is, DO NOT CLICK THE LINK. Once you've realised it's a fake link, you can report said link to the DNS provider (instructions later)
Nuclear Option
You can add the following line:
0.0.0.0 *.zipto your hosts file:
Linux: /etc/hosts
Windows: C:\Windows\System32\drivers\etc This will redirect all .zip domains to 0.0.0.0, which should be invalid. Alternatively, you can redirect it to 127.0.0.1 instead, in order to direct it to your own computer.
Doing this will mean that you will not be able to visit any .zip websites. It's not recommended, but it is the only truly safe option.
How To Report Fake Sites
Go to https://whois.com/whois/
Paste in the URL into the box:
Scroll down and look for the registrar, in this case GoDaddy:
Visit the registrar's website and find their abuse department's email or contact information.
Make a report with the registrar and get a response.
Alternatively, make a report with Google: https://safebrowsing.google.com/safebrowsing/report_phish/
Conclusion
To conlude, the .ZIP TLD is a terrible idea. I doubt any legitimate companies will use it for any reason other than to reserve it, and its main use will be for malware distribution. Google should either cancel it or regulate the names reserved.
Comments