Credentials in URL can be used for a spoofing attack!


Opera and other Chromium-based browsers consider this as expected behaviour. Even though the user lands on another website than the one written before the @ sign, the address bar is still the ultimate UI element which provides security information showing the actual website and not the web address written in the address bar. Additionally, Opera hides the username and password information after navigation in the URL box, so users can clearly see which site they really visit. This way, the effectiveness of such spoofing attacks is minimized.