Everything on the Web is true...
... or is it? David Dorn outlines a clever hoax that proves we're too eager to believe what we see - and uncovers a browser bug that could cost you dearly
Do you believe everything you read on the Web? Better yet, do you believe everything you read in your email? Our transatlantic cousins, it seems, a certainly willing to believe anything their 'friends' tell them. Let me fill you in on the story, which, if it's true, is a cracker.
According to a newsletter I receive every week, a cartoonist in the US wanted to do an experiment to discover just how easy it is to dis-inform lots of people. What he did was to exploit a bug in all the current browsers to make it look as though the information was legitimate and coming from a 'respected' source.
In this case, the source was supposed to be CNN, the American Cable News Network. Our cartoonist simply copied the CNN front page into his Web authoring package, and maintained all its links back to home base - the CNN site. He killed one story, and put his own there - to the effect that Britney Spears had died. That story, couched in CNN livery, resided on his own Web site.
Then he uploaded the lot to his own site. Anyone finding it would get to see the hoax story. But they'd see it wasn't actually at the CNN site - because the address bar would have the hoaxter's own Web address in there, and not CNN's.
Next, he seeded just three people who he had chatted with via IMs and told them 'Have you seen this story on CNN? Britney's dead' and gave them the URL in the form:
http://www.cnn.com@www.fake_address.com
Look at that address again. Notice anything strange? What's that '@' sign doing in there?
I'll tell you. That '@' sign marks everything in front of it to be ignored - it's a browser bug, and it bugs every browser I've ever used. So, when you click on the URL as it comes to you, complete with '@' sign, where you actually go has nothing whatever to do with the URL that comes before the '@' - you go to the address after it.
This is a technique that id and password harvesters use to lull you into thinking you're accessing an official AOL page - most folks don't bother checking more than the www.wherever.com part of an address, often because there's a long string of seemingly meaningless gobbledygook after it.
Anyway, to finish the story, those three people were taken in by the story, and, naturally enough, told more people, who told more people, who told yet more people, until in the space of 12 hours, over 150,000 individuals had visited the hoax site.
Worrying
It actually gets worse, too. Our cartoonist friend, it seems, had put a 'send this story to a friend' link on the page - and managed to use the CNN forwarding mechanisms to power the send, so that when folks forwarded the story, it looked as though it had actually come from CNN itself, lending yet more credence to the lie.
Three things about this worry me - one is that a 'send to a friend' link can be spoofed this way, and the second is that people are all too willing to believe anything they read on the Web. The third is that browser bug - and it's a real corker, isn't it?
You, however, now know that the bug exists, and you will, hopefully, keep a weather eye out for a '@' in a URL or link that's sent to you, either via email or via Instant Messages. If you do spot one, you can guarantee that you need to examine it a little more closely - look at this one:
http://www.aol.co.uk@www.strange-brew.com
It's certainly not an AOL web site (and looks nothing like one when you get there, either - don't worry, it's known to me, it's one of my personal sites and it's perfectly safe to visit). That URL before the '@' sign could be absolutely anything - and if it's long enough, you might miss the '@' altogether!
Next, if the 'fake' site looks like the 'real' site, you could easily be taken in again. So check it out - look in the address bar at the top of your screen and see where you really are. If what you see isn't what you expect, be very wary.
Finally
Finally, just to allay any worries you may have over the untimely demise of Britney, she isn't dead. As far as we're aware, she's still very much walking about and breathing, alive and miming singing.
