.ZIP Domain
By abusing a known Chrome behavior – one Google has decided not to fix – it's possible to construct a URL with a Unicode character that displays as a slash – U+2215 (∕) – but isn't treated as a slash when the browser fetches the URL.
And by adding the @ operator in the URL – used to delimit the user information (RFC 3986) part of the URL scheme and ignored in most modern browsers because embedded authentication is somewhat unsafe – this link …
https://github.com∕kubernetes∕kubernetes∕archive∕refs∕tags∕@v1271.zip… gets treated as …
v1271.zip… because everything before the @ delimiter is treated as user information.
The resulting v1271.zip domain could be registered and used to host, say, a Flask application that responds to any request with a malicious .exe file.
Last updated