Closed Bug 1498867 Opened 7 years ago Closed 5 years ago

Link preview enables phishing by showing title attribute instead of href

Categories

(Firefox for Android Graveyard :: General, defect, P3)

Product:
Firefox for Android Graveyard
Component:
General
Version:
Firefox 64
Platform:
All
Android
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED INCOMPLETE

People

(Reporter: mozilla.org, Unassigned)

Details

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:62.0) Gecko/20100101 Firefox/62.0 Steps to reproduce: Firefox 64.0a1 (2018-10-13) for Android Tap and hold a link that has a title attribute, e.g. the one labelled "Physorg Article" in this snippet: https://www.jsnippet.net/snippet/1748/1/ Actual results: A link dialog pops up with preview text taken from the title attribute instead of the href. As in this snippet, the title attribute can be a valid (potentially malicious) URL. Tap "Open Link in New Tab" and this actual URL (example.com) is opened. Expected results: A page should not be able to spoof a URL. The title attribute is intended to provide "advisory information about the element", which on desktop browsers is displayed as a tooltip. On Android, the link dialog is devoted to actions one can take on the link, and the display of the title attribute is surprising and dangerous. It should always display the href.
Sadly true, although I still find this very useful on a number of pages that are using the "title" attribute in a wholly legitimate matter and would therefore hate to lose that. Attempting to detect and blacklist suspicious title strings probably leads into a rabbit hole of false positives and false negatives that you don't want go into, though. Maybe something like the design of the "Top Sites" context menu title would work, i.e. if we've got a link with a title, display the real link target in a different font above the title? I might be able to look at this further at some point, but right now I'm a bit busy with other work.
Status: UNCONFIRMED → NEW
Ever confirmed: true
OS: Unspecified → Android
Hardware: Unspecified → All
We have completed our launch of our new Firefox on Android. The development of the new versions use GitHub for issue tracking. If the bug report still reproduces in a current version of [Firefox on Android nightly](https://play.google.com/store/apps/details?id=org.mozilla.fenix) an issue can be reported at the [Fenix GitHub project](https://github.com/mozilla-mobile/fenix/). If you want to discuss your report please use [Mozilla's chat](https://wiki.mozilla.org/Matrix#Connect_to_Matrix) server https://chat.mozilla.org and join the [#fenix](https://chat.mozilla.org/#/room/#fenix:mozilla.org) channel.
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → INCOMPLETE
Product: Firefox for Android → Firefox for Android Graveyard
You need to log in before you can comment on or make changes to this bug.