I don’t know why this works, but it’s some kinda feature of URLs:
https://google.com@chriscoyier.net/
It’s not a Google thing, I think anything works:
https://daverupert.com@chriscoyier.net/
It opens a door to make functional URLs that go somewhere you really aren’t expecting:
https://definitely-safe-place-to@buy-drugzzz.com
I saw this in The Dangers of Googleās .zip TLD that used these examples:
https://github.comākubernetesākubernetesāarchiveārefsātagsā@v1271.zip https://github.com/kubernetes/kubernetes/archive/refs/tags/v1.27.1.zip
Try that first one. In all browsers, it takes you to the currently-non-existent v1271.zip
, which is now a web address.
This is part of HTTP Basic Authentication. Some websites allow you to login using http://myusername:mypassword@example.com or if you leave out the password then you get a little modal from the browser asking for it. It’s easy to turn on with web servers like nginx. Useful for password protecting a page for a website before it is ready to go live.
Waaaaaay back, you could send your credentials to a website like http://user:pass@totallysafe.com. Browsers would take the username and password and inject them into the Authorization header. AFAIK, no browsers will do this anymore, but they still respect the URL format, in case someone clicks on such a URL from an email from 1998.
Firefox warn the user about it.
Firefox does show a warning:
It goes beyond HTTP and the web. It’s part of the URI spec āĀ the “User Information” subcomponent of a URI.
https://datatracker.ietf.org/doc/html/rfc3986#section-3.2.1
The spec recommends that the userinfo subcomponent be rendered differently to avoid “Semantic Attacks”, which is not a very realistic option. They go on to describe the exact problem that Chris points out here:
https://datatracker.ietf.org/doc/html/rfc3986#section-7.6
You’ll see in the spec that the userinfo subcomponent is partially deprecated. In my opinion, it shouldn’t be supported by browsers at all.
Sounds like Google is very on board for killing it.
https://mastodon.social/@Yoav/110414080916605916
https://mastodon.social/@mikewest/110414334955989895
https://infosec.exchange/@fugueish/110414455869660479