[kccqzy]

It is quite saddening that there is a recent trend of hiding the complete URL from the user when the URL itself conveys much information. When the URL is hidden the user is not given the incentive to look at the URL, let alone modify it. This kind of bug should have been discovered much sooner when the user is given the opportunity to directly look at the URL and experiment with it.

[dublinben]

>experiment with it

Be careful with simple "experimentation" like this. You can fall afoul of the CFAA for exactly this.

[danieljchen]

Explain?

[dublinben]

This is very similar to what Weev was indicted and convicted for.[0] Simply passing valid requests to a system can by construed as "unauthorized" if it is unexpected by the operator of that system.

[0] https://en.wikipedia.org/wiki/Goatse_Security

[interurban]

It's not too hard to obfuscate the actual domain for non-technical users, leading to easier phishing. By only displaying the actual domain name, it's much easier for people to see that they aren't on the site they expect to be.

IMO, the tradeoff of reducing phishing effectiveness is worth the small amount of additional effort needed to find this bug.