Cатсн²² (in)sесuяitу / ChrisJohnRiley

Because we're damned if we do, and we're damned if we don't!

{Quick Post} URL shortcuts

3 Comments Posted by on March 1, 2012

I’ve had this little snippet hanging about for a while, and I’m almost sure 99% of people are already aware of this, but hey, that still means 1% aren’t. So here’s a quick quirk that I noticed a few years back in the way browsers process values entered into the location bar.

If you’re like most users, you type google.com to get to Google much more than you type http://www.google.com… after all, if HTTP is the default and the remote site handles the redirect to the right place, it’s all good! Still, in the location bar, HTTP isn’t the default! Before tying that, your browser is going to check you didn’t mean something else…

To test this, create a shortcut on your Windows desktop called yahoo.com and assign the shortcut to go to http://www.google.com… if you want to do this programatically, just open an editor and enter the following :

[InternetShortcut]
URL=http://www.google.com/
IDList=

Now save that as yahoo.com.url on the desktop and open your favourite browser. Type yahoo.com into the location bar and see what happens!

Conclusion:

As far as a security issue goes, I’m not sure you can class this as a problem. After all if you have the ability to edit files on a system, then surely altering the etc/hosts file would be more effective. Still, maybe on restricted systems this might come in handy!

Note:

A few people have mentioned that this seems fixed in the latest Chrome and in IE 8. Tested this end and IE 7 is “vulnerable” to this quirk. Nice to see browser vendors have started fixing this over the past year or so!

Security, Strange ,

3 responses to “{Quick Post} URL shortcuts

  1. Frank Koehntopp (@koehntopp) March 1, 2012 at 15:40

    Uhm… opening yahoo.com here (IE8, Chrome)

  2. ChrisJohnRiley March 1, 2012 at 17:26

    Thanks for the feedback… as this ones been sitting in my pile for a few years, I didn’t recheck on the latest browsers. My bad…

    Checked this end and Chrome and FireFox now appear to handle this correctly. IE 7 (and probably prior) appear to still take the shortcut from the desktop before attempting HTTP://

    Thanks again for the feedback!

  3. Pingback: Google Shortcuts « OBAR46 BLOG's