Google's new .zip and .mov domains are a security incident waiting to happen

XDA

By Adam Conway

Published May 15, 2023

Some of Google's new domains look like file extensions, which might cause more problems for users.

The internet is controlled by a very strict set of rules, governed mostly by the Internet Corporation for Assigned Names and Numbers (ICANN). Only the ICANN has authority over top-level domains (TLD), the likes of .com, .org, .net, and every other URL ending that you can think of. However, it delegates the responsibility of these TLDs to a number of approved organizations. One such organization is Google, and Google just launched .dad, .phd, .prof, .esq, .foo, .nexus, .zip, and .mov.

The implications of having a .zip and .mov TLD are particularly worrying because these are commonly used file extensions. Imagine operating a phishing site on a .zip domain and sending that to a person who may not be as tech-savvy as you are. There's already a website called financialstatement.zip that demonstrates exactly how that would look, and that has the potential to be scary. But it's only the potential, and I doubt it'll become as big of an issue as it might seem.

Why .zip domains can be a problem

A significant amount of software automatically converts links that look like URLs into something clickable and for good reason. A string that ends with .com is almost always going to be a website, and the same applies to pretty much all TLDs. Software won't do this just yet with .zip domains since programs need to be updated, but as they get updates with updated TLD lists, it's likely that .zip will be included in some. Now, when someone says something like "Please find financialstatement.zip attached," at least some programs will automatically convert this to an actual clickable link. Given that the person receiving the email is expecting to get a zip file, an attacker could upload a zip file to this website, meaning that to the end user, nothing even looks out of place.

These concerns all apply to the .mov file extension too, which is a video file format.

Setting a TLD to a common file extension is fairly short-sighted, particularly as it can only aid phishers and other malicious actors in attempting to confuse and mislead potential victims. We're already seeing software that converts .zip TLDs into clickable URLs. If someone has mentioned a .zip file on Twitter in an older tweet, that file name is now clickable and will bring someone to a website. While this has always happened, .zip wasn't a valid TLD until now.

It's quite common that someone may write a zip file name somewhere, but it'll no longer be clear if it's a file name or a website. Sure, you can use context clues, but those will likely become blurred over time and will confuse people who may not necessarily be in the know.

It's technically not the first time a TLD has shared a name with a file extension since the .com file extension was used on MS-DOS machines. Still, times have very much changed, and we no longer use the .com file extension for executables. And that probably won't change with .zip.

The risks may be overstated

Thankfully, I'm not quite sure that .zip and .mov are doomsday-level additions to the list of TLDs. Plenty of TLDs aren't automatically converted by programs, and you often need to add https:// to the start of your URL if it's a non-standard TLD to make it clickable. In the case of sites like Twitter, yes, they become clickable, but most websites and programs likely won't add it to their list of automatically linking TLDs because of the uproar in relation to security concerns.

The other domains that Google added aren't really as problematic either, with TLDs like .dad and .phd domains being a fun way to make a more personalized website. It's likely not as big of an issue as many are making it out to be. It's not great, but it's not the end of the .zip or .mov formats as we know them.