Closed Bug 852218 Opened 11 years ago Closed 11 years ago

a href redirection after click

Categories

(Core :: Security, defect)

Product:
Core
Component:
Security
Version:
19 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 257307

People

(Reporter: curtisk, Unassigned)

Details

Date: Sun, 17 Mar 2013 21:41:20 -0400
From: Angela Tupholme <graceful.serenity@hotmail.com>
To: security@mozilla.org
-----//-----
I cannot take credit for this find, but will link the blog post of
someone who found it

http://bilaw.al/2013/03/17/hacking-the-a-tag-in-100-characters.html


[[Website text]]
A short while ago, I discovered that JavaScript allows you to change the <a> href after you click on it. It may not seem that serious at first glance, but rest assured, it can trick customers into giving in their details to fraudsters.

Let me show you an example. This link should take you to PayPal.

You'll see that you do not end up on PayPal (except on Opera, where it appears to have been fixed). That's because when you clicked on the link, I ran some code that changed the href attribute and, surprisingly, the browser sent me to the new link. That shouldn't happen. Website visitors (and perhaps most tech-savvy people) can and will presume where they end up could just be a genuine redirection from, in this case, PayPal. Last year, PayPal redirected their UK homepage to paypal-business.co.uk for months. My assumption is website visitors have grown accustom to redirections, and if this flaw acts as such, it can pose a real threat to what I call Phishing 2.0.

Let's take a look at the JavaScript:

// Uncompressed
var links = document.getElementsByTagName('a');
for(var i=0; i < links.length; i++){
    links[i].onclick = function(){
        this.href = 'http://bit.ly/141nisR'; // Insert link here
    };
}

// Compressed (100 characters exc. the link)
o=document.getElementsByTagName('a');for(j=0;j<o.length;j++){o[j].onclick=function(){this.href='http://bit.ly/141nisR';}}

It's also very difficult to detect. Almost everyone who uses JavaScript/jQuery will bind an event to an <a> tag, so it's not as simple as unbinding every <a> onclick function. It's very much possible to wrap the code above to a setTimeout to bypass whatever solution can be found. Any half-decent hacker can make a computer virus or embeddable JavaScript code that can inject this code alongside another piece of software. As it's incredibly easy to update JavaScript (particularly embeddable), I would say that tools such as McAfeeSecure and PhishTank won't be able to keep up with phishing websites up to the second.

As it shows no real benefit, I'm pledging to World Wide Web Consortium (W3C) and major browsers to disable the option to change the href attribute after an onclick event. It is an incredibly simple interpreter flaw, and whilst it may seem normal to some, it can be used for ill-fated purposes rather than good. I'm aware Google and websites as such use this, but if we're suppose to making the web safer, we can't allow for what can be simple flaws to exist. There are alternatives (such as using the genuine link rather than masking it), and for that reason, it should be disabled. It's not worth internet users being victims of fraud and theft.
Status: UNCONFIRMED → NEW
Ever confirmed: true
1)  This is a known public issue, so not security-sensitive.

2)  How does the reporter propose handling 

  <a onclick="window.location='something'; return false"
     href="foo">

?

If the problem is the false sense of security the mouseover thing shows, the only option I see is getting rid of the mouseover thing....
Group: core-security
duplicate of bug 257307, but see also bug 229050
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.