.ZIP Domains Are a Disaster (Hackers Love them)
ฝัง
- เผยแพร่เมื่อ 30 ก.ค. 2024
- $5 Free Credit 👉 PCBWay pcbway.com/g/gS3qI9
Timestamps:
0:00 Intro
0:28 A very. Bad. Idea
1:56 Sophisticated Phishing Links
4:43 In Defence of .Zip
5:57 PCBWay
6:36 Outro
Sources:
/ the-dangers-of-googles...
www.bleepingcomputer.com/news...
www.ghacks.net/2023/05/15/goo...
www.blog.google/products/regi...
isc.sans.edu/diary/The+zip+gT...
isc.sans.edu/diaryimages/zipd...
www.theregister.com/2023/05/1...
github.com/trickest/zip/blob/...
===============================================
My Website: www.seytonic.com/
Follow me on TWTR: / seytonic
Follow me on INSTA: / jhonti
=============================================== - บันเทิง
![[TH] 2024 PMWC x EWC Main Tournament Day 3 | PUBG MOBILE WORLD CUP x ESPORTS WORLD CUP](http://i.ytimg.com/vi/3EM6gpHgLk4/mqdefault.jpg)
You know it's bad when you're relatively tech savvy but can confidently say you would fall for something...
Relative to what, your 80 year old grandmother? A rock?
If you were tech savvy, you would have an extension that does Grammer checks for you.... You would realize you are relatively stupid
yup. now gotta be scared of every markdown.
Agreed, I would most likely fall for this if I hadn't known, and might still. Idk who's idea it was to store PLAIN TEXT LOG IN CREDENTIALS IN THE URL WITH A COMMONLY USED SYMBOL in the first place
@@Izzythemaker127 nah thats fine. the .zip TLD is the problem
@@yeetyeet7070 Putting plain text login credentials in the url is "fine" according to you?? Seriously?
The zip TLD is genuinely one of the dumbest decisions Google has ever made.
Hey, let's add exe as a TLD as well, while we're at it.
Let's add PNG, JPG, MP4, and MP3.
@@UriahStuff and .elf, .bin, .so, and .dll aswell
@@ocsanik502 oh and dont foget about .c, .c++ and .cpp, .c# .. and finally .a
wait dont give them ideas (and .o, .dir, .tga)
@@bitten2up and .h, .asm, .py, and .sh
My biggest question is: Who the heck let Google be a TLD registrar???
Anyone can be a domain registrar lol?
ICANN.
@@himabimdimwim its called ICANN, not ICANNOT :P
@@plasticstuff69 anyone can register a domain but google can create them
they let you do anything if you donate millions per year
You and I, maybe we can be on the lookout for this. How on earth am I going to explain this to the infinitely large swathes of non-tech-savvy people I know?!
Bad move, Google. Very bad.
I guess we have to save this video to explain to those non technical people. 😅
@Dave Dörenberg-Veltman It needs to be shorter because of the garbage attention span
put mouse over link, look in status bar...
@@DJ_POOP_IT_OUT_FEAT_LIL_WiiWii *user proceeds to put their physical mouse over the monitor where the URL is, asking "where is the status bar?"*
@@Vysair honestly non tech savvy users will just read the title and believe it... as long as they relatively trust you
They will care about this stuff
Sweet, please make a video once a google employee gets pwnd by this domain lol
I'll be on the lookout 👀
@@Seytonic It'll be ebic ;)
It was irresponsible to allow the TLD in the first place
what is a tld?
Absolutely. I cant think of one legitimate business which would use this tld
@@i_am_a_real_cat1443 top level domain, the part behind the last dot in a domain. Like net, de, fr
@@i_am_a_real_cat1443 top level domain
How can Google even issue their own TLD's?
When .rar and .7z TLDs exist, we will know that this act was malicious the whole time.
Google wouldn’t do this because they need plausible deniability.
Along with .tar and all will be covered.
.exe tld
I quit
That's not how this works. At all. One bad decision followed by more bad decisions doesn't prove it was malicious, just that they make a lot of bad decisions.
@@scottc5181 .gz and .tar.gz tld
The fact that the people at the head of this thought it's a good idea to create a .zip domain possibly scares me. It's like they don't even care what happens to their loyal customers. Even as someone who doesn't interact with much outside of a couple friends, I'm worried about falling for one of these now. This opens up so many more attack opportunities that it's quickly becoming dangerous to even download anything that normally sends you to a blank page that auto downloads the file.
Cry about it 😂😂😂
They don't care what happens to their customers. It's all about that $15/year.
@@Daveeeeeeyhowyoudoing no one reply to this guy, they're not serious and jus wanna make u mad
@@MischieviousJirachi report them for harassment instead
@@MischieviousJirachi but what if i like their attitude?
Who could have seen this coming! That anyone thought that having a gtld be an archive file extension was a good idea is beyond me.
Next one will be .rar and .7z/7zip?
The core problem is that Google has paid enough money to ICANN to become a TLD registrar. They didn't need to get any outside opinion or permission to create that tld. I imagine the most that happened was more technical people downstream explaining why this was a bad idea and the business sociopath who only sees the potential revenue of selling those domains to criminals making responding with "Okay, your concerns are noted. Now do it anyway or I'm replacing you with someone who will."
That's called the Dunning-Kruger effect. It occurs when a person's lack of knowledge and skills in a certain area cause them to overestimate their own competence.
@@Appoxo lol
I'm a reasonably tech-savvy, non-expert user and having heard your arguments, I am now convinced that this was a bad idea and should be undone.
That's called the Dunning-Kruger effect. It occurs when a person's lack of knowledge and skills in a certain area cause them to overestimate their own competence.
@@LePedant pretty sure it’s called the “Dumb-n-cruder effect”, but I’m not an expert.
@@turolretar Lol, sounds like something Michael Scott from The Office would say.
@@LePedant can't go wrong, right?
don’t know about you guys but i can’t wait to click on all the .zips i see
It's a thing I would fall for if I didn't follow all the drama... How the hell will I explain this to my parents?
Just unplug them :P
don't let them click ANY links
"Stop using the internet, its by criminals for criminals now."
@@truerandomchannel the whole thing is that these links don't look like links
@@FAB1150 exactly. The challenge of explaining to most people would be extremely hard
Google been comfortable collecting checks from black hats for years. Wouldnt suprise me if they put these features out specifically for thwm to drum up new rev streams. Orgs should block zip and mov sites in their dns internally
i want to learn more, do you have links to some sort of articles talking about that?
And carriers should do the same, somehow though it still isn't happening. Gotta wonder why.
I agree. Google is a known cyber fraud company already, so it's no surprise.
@@suncat530 there are tons of vids showing google accepting add rev from hackers running scam/pjishing sites and advertising ad the real thing. And they do nothing to stop them
I understand why carriers don't want to do it, but I'm already writing custom ElasticSearch rules to alert to any .zip TLDs navigated to.
My grandmother’s computer stands no chance now
Can't wait to be hyper paranoid when downloading any zip file from now on
Virus total is gonna be everyone's best friend.
Thanks for pointing that out.
I've added the .zip TLD to my pi hole's regex blacklist, such as many other suspicious TLDs too.
It sounds to me like the Markettng department at Google managed to override all the sensible teams (Security, IT, Dev, and practically any other technical team). There is a reason that Marketing departments are often referred to as "the colouring-in team".
i hate sales i hate marketing i hate the antichrist i hate car culture i hate pussy
Google is gonna paddle back and introduce a .rar domain instead!
Maybe we'll get an .exe one day..... Introducing the .exe TLD, where hackers can now confuse you with websites that look like harmless files, making every click a thrilling game of chance. Stay on your toes and pray you don't accidentally download a virus!
@@Seytonic Sounds like something they'd do 💀
@@Seytonic Yep. Gotta get that domain for all your executives. 😂
@@Seytonic true, though I don't do redundant , begging, and debunked prayer. Hehe
I think it's cool. :3
Why am I not surprised that Google continues to make literally everything they touch just a little bit worse?
In my opinion, browsers should just refuse to resolve TLDs like this. I don't particularly care that it would be walling off anyone who purchases a .zip or similar domain, the only way to shut something like this down is to simply refuse to comply. Make the .zip TLD completely useless and the problem will solve itself.
Unfortunately we all know that's never happening, seeing as the people who issued the TLD also make the most popular browser, but a clear "potentially malicious link" warning would at least be nice.
The main problem is people hate to coordinate. So Shrome is staying.
You can set up your group policy, or setup your DNS to reject them.
You can add a firewall rule to reject this
problem is chrome is one of those browsers lol and a lot and i mean a lot of people uses chrome. Good luck with that one.
you realize that basically every browser except firefox is based on chrome?
Who thought zip was a good idea for a TLD?
People in marketing
Alphabet
Honestly, it's still insane that chrome automatically downloads files by default.
You could configure it to ask where to download each file before actually downloading. But that needs to be set up after the fact when it should be the default setting imo.
Downloading files by themselves is not much of a security threat, right? The program still needs to be executed for it to be malicious
@@gavinthecrafter until your windows security decide that it wants to extract a zip file to check for cp or illegal content, and poof you are hacked.
@@mahdi9064 Clearly you don't know how antivirus work.
@@gavinthecrafter this type of attack is called a drive-by download and no it is not particularly dangerous.
Most organizations will have some type of EDR like carbon black or crowdstrike, that will stop execution anyway.
It's just stupid to introduce an unnecessary, confusing way for threat actors to make phishing, the most common type of initial access, even easier.
2:50 userinfo in url's isn't a legacy feature. it is very often used as username@host for other protocols like e.g. ssh
there should be a committee that looks at more things than just the transaction number.
Like the potential ramifications of allowing the TLD to exist
there is a workaround to make sure you dont fall for this, add the following to your adblocker of choice (which should be ublock origin)
||zip^$document
||mov^$document
this will block visiting sites with .zip and .mov tlds, while still allowing recources to be fetched from them (like if google decides no use a .mov domain to serve yt videos) and allowing "zip" and "mov" everywhere else in the url.
this should give you a nice warning to let you know youre making a mistake, but its not a fix for the underlying problem, and will only really help for already tech savvy users.
What do you mean by "allowing resources to be fetched from them"? Would you still be able to accidentally download malicious zip files?
Well there goes my Monday, Blocking all TLDs that resemble file names >.< - I await to see a .rar, .7z, .zip or god forbid tax_invoice.xlsx
Good idea, hopefully someone makes a DNS server that does just that
I understand what you’re saying about web developers implementing safety features like not auto linking, but I see a bigger issue in that random web developers should not have to pick up the pieces after a terrible decision by google. Firstly because it’s not their responsibility (it is google’s, for making a decision that will so obviously go wrong), but also because the average web developer can’t reasonably be expected to know this is happening. That’s not even mentioning the amount of programs that are actively used but don’t receive updates.
Your videos are the best. Seriously there's no better channel for cybernews. Thank you sincerely.
Thanks my dude, I appreciate it :)
When programmers have to add a _exclusion_ for .zip domains, you already fucked up.
That is a SQL-Injection sized issue - because now programmers have to be aware and invest extra effort just to not cause a issue.
The shitstorm once it'll be made public that the first google employee fell for this is gonna be gold.
Worst idea ever Google. Also, I'm still mad u cancelled Wave.
I sincerely hope they do, and I hope it finally spooks the public into realizing how little value they actually provide nowadays.
I'm still mad about Google video
I'm not gonna try to defend myself. I work in IT and I think I would fall for it as well
The @ before domain is still widely used in ssh.
It is used to specify which username you want to use on the ssh server.
So to remind everyone about links:
*_DO NOT CLICK RANDOM LINKS_* Even if it comes from a "credible" source.
check, double check, recheck and check again for good measure.
Google really going for the big brain manouvers. 🤔
Wow. I never saw this coming....
Google with their ever increasing stupidity, but as long as they can make some money out of it eh?
Lol, time to super-harden my home network due to my elderly parents being on it. This will be a nightmare
Firefox actually asks to confirm when navigating userinfo URLs, so it is less likely to work on it as on Chrome
just because an issue was marked wontfix years ago doesn't mean they can't change their mind if the user credentials in URL trick ever becomes a common attack. auto-hyperlinking domains is the only real concern here, and it can be fixed easily by web developers
Ah, but in the modern internet, just because an issue can be easily fixed by web developers doesn't mean it ever will except for a small minority of cases.
Appreciate the nod @Seytonic! :) Hope to have helped with at least some of the blast radius...
This is seriously a bad idea, they could have chosen anything else but this
Hehehe, I just bought one because they are surprisingly cheap. Using it for a personal landing page and some self hosted services because it's nice and short.
Read about this example last night, and I think your animated version does a great job of making it more understandable! Yeah, potential mess! Thanks! 😎✌️
This was definitely a decision made my a non technical manager type who is refusing to back down now
Thanks for letting us know! You're the best! 👍
Not often i find something I would actually fall for. Thanks for bringing it to my attention
This just seems like a gift to hackers. Not sure what the legitimate use case is. Also it's ridiculous the number of TLDs being created just in general. I guess it's close to 100% profit for the registrars and that's the motivation behind it.
Not a gift. A sales pitch.
This is all going to get worse with Google having complete control over the web now....
Too many projects not maintained to receive updates that would prevent auto highlight of .zip domains. Though maybe they wouldn’t recognize them anyways. Either way I think it’s too confusing for the end users that are unlikely to learn about it. Adds a tool for phishers and seems low value for the TLD domain space
there must have been AT LEAST one person in the Google team that knew the repercussions and stayed quiet. no?
The "backup" one serves a random backup-related quote.
Set your browser to ask before downloading and you will save your self from those websites that redirect you to an automatic download.
Blocked the whole TLD after seeing that medium article example. That's just too sneaky.
I've been using URLs with @ for SSH logins and git clones for some time now, yet I absolutely would've fallen for this one on any font that doesn't give away the slashes... Can we go back to when my online safety wasn't dependent on font choice please
yeah, userinfo in urls certainly isn't a "legacy feature" as he seytonic said
Google doing such a seemingly dumb action implies to me that there's something going on behind the scenes that extends to beyond network security that had influenced its existance
Welp, now I just have all the more reason to double-check every link I see lol
we won't believe the amount of normal company employees falling for this
This is a really bad idea. What legitimate domains would use this? A zipper company or maybe compression software like 7zip? The negatives far outweigh the positives. Waiting on the .exe/.dmg domains next.
Noting your browser section, Firefox has had a feature to combat this *sort of* for a little bit at least. When you try to connect to a page with a username that doesn't take a login, it will immediately prompt you before navigating.
I feel like this on the Google ads thing it seems like Google wants people to get hacked
I wouldn't even be surprised if google knew exactly what they were doing. It's all about the $$$
I believe that we should only have TLDs for each internet governance authority, since that's what they're for - to designate where to send domain resolution requests to.
never knew about this thank you very much for spreading the word
I've always been a little skeptical of .zip ever since Google announced it. Guess my skepticism was well placed!
How's the gmail one any different to just changing the text of a link? Both reveal the true destination on hover.
Why on earth did they choose .zip? Is there a logical reason?
"Because we're richer than a million millionaires, so screw you" -Alphabet
money
What are the fonts that make it look weird . Perhaps if we use those it would be an easy way to spot malicious links.
how would you even blacklist these hyperlinks on a company email system without also blacklisting the mention of a .zip file or a normal download link to a web hosted .zip file?
Does anyone know of a good Firefox extension that will highlight or block unusual Unicode in URLs?
Firefox actually does some work in this regard. As you mentioned, everything before the @ sign is considered a username (and password if there's a : as well), so when you click on such a malicious link, but the landing page doesn't accept logins, Firefox displays a message saying if you're sure you want to proceed because you're about to land on a page that didn't request a login, but the link provided one. Not completely fool proof, but it's a step in the right direction.
Googles big brain move here is capitalizing on White hats who will buy up .zip domains xD
Thanks for the amazing tutorial, will be useful.
Buying a .zip asap
Liked and sub, Amazing video!
Pd: Google's motto "Don't be evil" now looks more like just another corporate cliche.
They dropped that motto back in 2018 ;)
I see the bigger issue in Chromium allowing fake slashes in user credentials / allowing user credentials there at all.
I'd like to see them removed, and the issue is done.
Does clicking on a link automatically download executables that also run without us doing anything??
The scary/infuriating thing about this is that I would 100% fall for this if there were no other obvious red flags of a phishing scam. Those links are very convincing. Sure I wouldn't be dumb enough to open a zip file from a random email (be it an actual .zip or an obfuscated URL), but if it is socially engineered in the right way that gives me little reason to question the authenticity, then sure I could see myself falling for this 👀
My Mail-Provider (it's a quite common one in germany) changes links to some very long url, that gets cut by the browser. They pretend it's a security-check-feature, but for me it looks like an additional landing page to put ads. So even if I try to hover such links, I'm clueless...
Could a browser extension be made that detects the fake slashes and blocks you from going to that site?
I have experience reporting bugs to chromium. They refuse to care if it's not something super critical. :D
Lesson learned, hover your cursor above a zip download link to check the domain.
easy explanation, good graphics.
you got a new subscriber ;)
If you are phishing someone through gmail with the zip tld then wait until you hear about link display texts. You can already do these download urls scams with any domain. Just checked discord and looks like the part before the @ gets removed in your message. Telegram also has link display texts. But sure, if I see it on a website, I'd probably fall for it
I was thinking about this as well. If you control the email body, obfuscation in the link display text is meaningless. And people are already much less likely to inspect the actual URL. For all apps that auto-link domains written without a protocol in all user content it's going to be really annoying and possibly dangerous as stated in the video
this is why I have zip and mov blocked at a domain level in my firewall it will just get sent to a blackhole on my network.
I guess blocking out the .zip TLD via some DNS resolver could be a solution, for now.
Im using NextDNS, and I block new registered Domains and the whole .ZIP Domain by default.
Would one solution be to use a local bind server as a nameserver, and configure it to refuse to resolve any IPs that correlate to anything within a certain blacklist of TLDs? Is that even possible?
Nextdns does it easily. Just set up your security config on the site and swap out your dns servers
o god another thing I need to try and explain to my parents - also PCBway even got to you lol
I share your pain.
whar wrong with him being sponsored
I think web browsers should just blacklist such websites and not treat them as hyperlinks, if someone wants to manually type it in their address bar fine, if not then it shouldn't be rendered as a hyperlink, you can probably make a chrome extension that does this for people
Why big companies love these days to 'unsecure' the masses ? Lately Discord and Ledger and now Google. What they're up to ???
Upcoming TLDs include: .exe, .docx, .pdf, .mp3 and .png!
What's the link to that Chromium bug report?
Thanks for the video, will block tomorrow every .zip domain for dna resolution in the firm.
The email sender Matt holt being the creator of the caddy server btw. Awesome guy pushing for security in the web space
Because Google wants more money. Not a bit more but globally much more money. More types of TLD means a company owner needs to register more domain names to protect against domain name abuse.
I want to create your kind of stock photos 😂 they are great
cheers for sharing this.
Another potential exploit to look out for.
I would have been fallin' for this. Thanks
Anyone know how to make a drive by download that automatically starts
Okay i seriously wondering which Engineer or cyber security specialist thought making file name domains was a smart idea. Honestly this just sounds like some marketing people convincing executives that they could earn a lot of money and not listening to engineers
Most of this seems more like other security failures that are being exposed now