1001790 - contenteditable attribute hides url of links from status bar (exposing users to scam/spam links!)

Status: NEW

(Thunderbird :: Security, defect)

Description

[firefoxbugs]

User Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0 (Beta/Release)
Build ID: 20140317233339

Steps to reproduce:

For one, the contenteditable attribute has no legitimate purpose in an email and should be flatly ignored.

But scammers/spammers use this "feature" to keep recipients from seeing the url of a link when they hover over it.

To reproduce:
1) Make an email that contains the following code:
<div contenteditable="true">
 Please visit: <a href="http://foe.com">http://friend.org</a>
</div>
2) Send it to yourself.
3) Hover over the link.


Actual results:

No url is displayed in the status bar.


Expected results:

1) The contenteditable attribute should have been ignored, and/or:
2) The url should be displayed in the status bar.

Comment 1

[Andreas M. Kirchwitz]

Looks like the same bug as https://bugzilla.mozilla.org/show_bug.cgi?id=993545

Comment 2

[firefoxbugs]

(In reply to Andreas M. Kirchwitz from comment #1)
> Looks like the same bug as
> https://bugzilla.mozilla.org/show_bug.cgi?id=993545

From the way it's described, I don't see how it can be.  He says in the second comment:
"It's not just certain messages, it's all of them.
However, I'm now seeing that it may be intermittent. It was working normally over the weekend, but not now since I restarted TB."

Marty reports a bug that is affects all messages intermittently.  I'm reporting a bug that affects certain messages all the time.

Comment 3

[Andreas M. Kirchwitz]

I'm sorry, it was my first thought that it might be related because in the beginning I didn't know what was causing Marty's bug (the same what happened to me). I later realized that it wasn't related to any content of the mail but a more general problem of the status bar (it not only affects display of link destinations but also all other status messages - and that was even a new detail for Marty's bug).

If there is a way to revoke my comment here, I would do it. Both bug reports are not related. I know that now. Please accept my apologies for causing any confusion.

I really hope that the issue described in this bug report gets fixed too.

Comment 4

[Thomas D. (:thomas8)]

firefoxbugs (reporter), thanks for this concise bug report.

Confirming as described.

This is a security risk because it exposes users to scam/spam links without an easy way of verifying the link target. It's also very easy to exploit for spammers, just add contenteditable attribute around your bad links, and you're done.

Magnus, I recall we once had a warning alert when clicking links where link text is URLish and doesn't match the target URL, but I don't get that warning on Trunk, with or without contenteditable. Has the alert been removed again? Can you point to respective bugs pls?

Comment 5

[Thomas D. (:thomas8)]

Attachment: Testcase1.eml: <div contenteditable="true"> hides link target URLs

Comment 6

[Magnus Melin [:mkmelin]]

Thomas: it it still there - http://mxr.mozilla.org/comm-central/source/mail/base/content/phishingDetector.js#252 - but yeah, seems never to come up for some reason on trunk. (You do get the scam warning bar though.) Could you file a bug?

Comment 7

[Thomas D. (:thomas8)]

(In reply to Magnus Melin from comment #6)
> Thomas: it it still there -
> http://mxr.mozilla.org/comm-central/source/mail/base/content/
> phishingDetector.js#252 - but yeah, seems never to come up for some reason
> on trunk. (You do get the scam warning bar though.) Could you file a bug?

Bug 1005687, with patch :)