As of May 3rd, 2023, Google has launched “8 new top-level domains: .dad, .phd, .prof, .esq, .foo, .zip, .mov and .nexus”, and on May 10th, they became publicly-available (Yeh). Two of these particular domains may seem familiar to computer users: .zip and .mov. Both of these are the file extensions of popular file formats (.zip being for compressed “zipped” files, and .mov being for video “movie” files). This raises many eyebrows in the cybersecurity world, as allowing a website domain to have the same end as a popular file format extension can pose significant security issues.
What is a Domain?
But first, it is important to explain what a website domain is. Feel free to skip this section if you already have a good idea of what a web domain is.
Website domains are a way in which we access a website on the Internet through a web browser. A domain, simply put is “the name of a website”, such as google.com, fbi.gov, or battle.net (Google). If we enter a domain into a web browser, it usually links/converts to a Uniform Resource Locator (URL), which is the “complete web address used to find a particular web page” (Google). These take the form of http://www.google.com, http://fbi.gov, or http://battle.net.
As you can see, each of the domains have a different ending: .com, .gov, or .net. This is the top-level domain. There are a variety of these top-level domains out there that can be pair with a domain name and purchased or rented in order to link to a given website.
Why is this an issue?
Website domains are not the only entity formatted with these “.something” endings. Files end in file extensions, such as .txt, .ppt, .jpeg, or .zip. This is where the issue comes into play. Since we now have two different entities (a website domain and a file format) with the same suffixes (.zip or .mov), it can be difficult to determine whether something is a file to be downloaded from a website or a website itself to be visited. This confusion can be easily exploited by hackers.
Stockley calls .zip domains “a bad idea nobody asked for” as there are plenty of ways to disguise a link to make it look like it takes you to a .zip file when, in reality, it takes you to a website. Let’s look at an example, created by Bobby Rauch (this is the same example referenced by Stockley):
Without clicking on the links,
can you quickly tell which of the URLs below is legitimate and which one is a malicious phish that drops evil.exe?
https://github.com∕kubernetes∕kubernetes∕archive∕refs∕tags∕@v1271.zip https://github.com/kubernetes/kubernetes/archive/refs/tags/v1.27.1.zipRauch
If you guessed the top link as being the “malicious phish”, then you are correct. The two URLs look nearly the same, except for one key feature: the @ symbol. Rauch provides an easy-to-follow explanation for what this @ symbol does and why it poses a huge issue: “everything between… https:// and the @ operator is treated as user info, and everything after the @ operator is immediately treated as a” web domain or URL; because “modern browsers such as Chrome, Safari, and Edge don’t want users authenticating to websites accidentally with a single click, … they will ignore all the data in the user info section, and simply direct the user to the hostname portion of the URL” (Rauch). So, using the top link from the above example, most web browsers will take the “github.com∕kubernetes∕kubernetes∕archive∕refs∕tags∕” out of the URL and just take users directly to v1271.zip. The same could, in theory, be done with the .mov top-level domain.
Not only that, but it is possible to completely “hide” the @ symbol if the link is sent via email. A hacker could change the @ symbol “to a size 1 font, that makes it visually non-existent for the user, but still present as part of the URL” (Rauch).
The TikTok video below by user @johncodes also explains the issue quite well, so I’d suggest watching it.
How can I protect myself?
In theory, you could meticulously check every URL before you click on it, but that would take time and it’s possible that you may miss something. Some URLs even contain the @ symbol on purpose; look no further than the link to Rauch’s post on medium.com: https://medium.com/@bobbyrsec/the-dangers-of-googles-zip-tld-5e1e675e59a5.
If you are a company (or a hardcore cybersecurity enthusiast), a viable alternative is to block any URLs that end in .zip or .mov for your organization. Stockley states that “dot zip will simply die on the vine if enough companies choose to block it”, which will limit the ability of hackers to use .zip as a way to hack into a computer. Further, Stockley advises that, if you are to block these top-level domains, “the best time to do it is now: Almost nobody is currently using it, and nobody is going to use in future if it’s routinely blocked”.
Finally, don’t click on links if you cannot be sure of where they go. This sounds like a silly piece of advice, but it can save you plenty of time and hassle later.
Resources & Further Reading
Google, “Web Terms 101.” Google Domains, domains.google/learn/web-terms-101/. Accessed 18 May 2023.
Rauch, Bobby. “The Dangers of Google’s .Zip TLD.” Medium, 17 May 2023, medium.com/@bobbyrsec/the-dangers-of-googles-zip-tld-5e1e675e59a5.
Stockley, Mark. “Zip Domains, a Bad Idea Nobody Asked For.” Malwarebytes, 18 May 2023, http://www.malwarebytes.com/blog/news/2023/05/zip-domains.
Yeh, Christina. “8 New Top-Level Domains for Dads, Grads and Techies.” Google, 3 May 2023, http://www.blog.google/products/registry/8-new-top-level-domains-for-dads-grads-tech/.
The H.A.C.K.E.R. Project 
Leave a comment