People make mistakes, and that’s why Gooogle.com, Yaho.com and Amazan.com redirect to the websites you’d hope they would point to. Reddit.co? We don’t recommend you visit it.
It’s common practice – codified in the days before browser autocomplete – for major websites to register misspelled domains and have them jump to the name butterfingered users meant to type. Among the most common mistakes is failing to add the “m” to a .com domain, which points to the valid top-level domain for Colombia (.co). Facebook, YouTube, Amazon and Yahoo all redirect .co domains. But security researcher Alex Muffett discovered that Reddit.co now displays a clone of the link aggregation site that steals visitors’ usernames and passwords should they log in accidentally.
HEADSUP: Looking for infosec people at @Reddit. Website at (phishing?) domain reddit(.)co — using the Colombian TLD — was acting a pitch-perfect apparent MITM of the actual Reddit. Now returning 500 before I could screenshot it. Domain ownership is as-follows: pic.twitter.com/hpucMroumd
— Alec Muffett (@AlecMuffett) February 5, 2018
Muffett expressed disbelief that the .co registry would allow anyone to register the name. But more surprising is that this phishing clone isn’t the result of an opportunistic hacker nabbing Reddit.co as soon as its registration lapsed. Going back to 2010, Reddit, the 13th most popular site in the US, has never owned the domain despite many opportunities to do so.
According to Domain Tools, Reddit.co was never registered before July of 2010, about five years into Reddit’s life, and during the period “the frontpage of the internet” was under the auspices of Conde Nast. Various archives show the url pointed to a Flash games site and a porn cam site, but mostly the domain was a parking page for interested parties to buy the name.
Of course, not every contingency can be prepared for. Gooogle.com and Google.co might take a sloppy typer to a search engine. Goggle.com, however, is a white webpage with only the word “goggle” on it.
We’ve reached out to Reddit to see if the company attempted to buy Reddit.co at some point. In the mean time, double check your browser to be sure you’re really on Reddit.