Or the attacker could've just sent you ... a link to familyphotos.zip. I'm not sure why you're bringing client-side auto-vivification (which yes, is a bad idea) into the picture when the attacker could equally send a link. I'm also not sure why you assume that clients will begin to auto-vivify .zip links just as a result of it existing, nor why you assume that's any worse than them auto-vivifying https://example.com/familyphotos.zip.
No comments yet.