The Issue of Extension-Based TLDs like .zip
Exploring the Risks of Extension-based TLDs
On May 3, 2023, Google introduced eight new top-level domains (TLDs), including .zip and .mov, which coincidentally also serve as file extensions. While these additions may seem innocuous at first, they inadvertently open up a new attack vector for malicious actors. In this blog post, we delve into the potential risks of this development.
Disclaimer: This Tweet is not real
Here we have a trustworthy figure referencing
clip.mov. An unsuspecting end-user would simply think this is going to be an amusing video. However, now that
.movis a TLD, when the user clicks
clip.mov, instead of a file being downloaded, they will be taken to a website. In this scenario, the website could be hosted by anyone, including threat actors. Consequently, the end-user unknowingly downloads a file named clip.mov.exe, falsely assuming it to be the intended video file.
This attack vector can be used to dynamically serve content as well. For example, take the domain
dll.zip. An attacker could create a wildcard subdomain that mimics the legitimate file and hosts it for download. By doing so, they can seamlessly deliver malicious content to their targets, without expending additional effort.
MSVCP71.dll.zip -> malicious.exe
LAPRXY.dll.zip -> malicious.exe
*.dll.zip -> malicious.exe
The simplicity and potential for abuse in this technique are alarming. To illustrate this vulnerability, I have developed a proof-of-concept (PoC) showcasing how easily file names can be hijacked using extension-based URLs. Less than 100 lines of code!
While this attack vector may appear to be relatively specific, it is crucial to recognize its potential for widespread use. As more platforms adopt these new TLDs and incorporate them into hyperlinks, a growing number of users will unknowingly click on *.zip and *.mov links, erroneously assuming they are downloading trusted files. In reality, they may find themselves redirected to malicious websites, falling victim to various forms of cyberattacks.
Take a look at the following URLs:
A thorough glance at the two URLs will reveal the second one looks a little off. But a quick glance, or to somebody who doesn't analyze the full URL and only checks the "domain", it looks pretty legitimate. It uses the Unicode Division Slash character (U-2215). Due to the way that URLs are parsed, everything before @SysinternalsSuite.zip is treated as an authentication body (think https://admin:[email protected]). So, the browser thinks the intended host is SysinternalsSuite.zip. Try it out! The first link will go to sysinternals.com, and the second will go to SysinternalsSuite.zip.
This Unicode abuse makes the .zip TLD (and any other current and future extension based TLDs) extremely attractive candidates for phishing campaigns.