[mcintyre1994]

That second link is seriously scary, how would you ever avoid falling for that? Does anyone know how it works? Going to https://tranquil-bits.surge.sh I'm guessing I'm seeing the attacker's form, but it has duckduckgo.com/vpn as the URL and https.

Edit: If you click submit on the VPN form you get "This could have been a phishing page." so it's definitely the attacker's form, that's crazy.

[discordianfish]

The problem is the XSS vulnerability. This means the attacker can run arbitrary JS on the site, which I assume is used in the second link to modify the form handlers to run the "This could have been a phishing page.". And yes, that could be used to send the credentials somewhere.

There isn't anything you can do to spot this. This is on DuckDuckGo to fix and they not responding to the report for such long time is irresponsible and not really excusable.

[mcintyre1994]

They're faking the URL too though - https://duckduckgo.com/vpn isn't a real site or product - it just redirects to a DDG search for vpn. The page is entirely the attacker's, but it shows DDG's domain with https.

It looks like tranquil-bit.surge.sh redirects to http://tranquil-bit.surge.sh/vpn so maybe DDG are somehow setting the URL to whatever the u= param redirects to?

[jchw]

The URL faking is with the HTML5 history API. It's possible to fake any URL on that domain because the JavaScript is executed in the context of that domain.