Comment In early May, Google Domains added support for eight new top-level domains, two of which – .zip, and .mov – raised the hackles of the security community.
The reason, of course is, that .zip and .mov are both file extensions. So there’s concern that a miscreant could employ these TLDs to confuse people by visiting a malicious website rather than opening a file, among other threat scenarios.
A security researcher who goes by the name “bobbyr” offered an example of the problem with Google’s movein a blog post on Tuesday. They pointed out that by abusing a known Chrome behavior – one Google has decided not to fix – it’s possible to construct a URL with a Unicode character that displays as a slash – U+2215 (∕) – but isn’t treated as a slash when the browser fetches the URL.
And by adding the @ operator in the URL – used to delimit the user information (RFC 3986) part of the URL scheme and ignored in most modern browsers because embedded authentication is somewhat unsafe – this link …
… gets treated as …
… because everything before the @ delimiter is treated as user information.
The resulting v1271.zip domain could be registered and used to host, say, a Flask application that responds to any request with a malicious .exe file.
That URL parsing behavior is evident if the above URL is pasted into the Chrome omnibox. Chrome will show the