overwriting hyperlink tooltips to display incorrect hyperlink destination URLs
Categories
(Thunderbird :: Security, defect)
Tracking
(Not tracked)
People
(Reporter: jpetelka, Unassigned)
Details
(Keywords: reporter-external, Whiteboard: [client-bounty-form])
Attachments
(1 file)
6.48 MB,
application/msword
|
Details |
This issue applies to Mozilla's Thunderbird application (Ver. 115.11.1).
I have attached a full report to this form with more details, but will discuss the problem broadly here.
Essentially, the title attribute of anchor tags in Thunderbird can be used to deceive users into clicking on malicious links.
Title attributes are normally used to display tooltips over HTML elements to provide users with more contextual information. However in email clients specifically, this behavior can be leveraged in phishing attacks, leading users to click on malicious links.
A common piece of anti-phishing advice is to hover over email hyperlinks to uncover a link's destination URL. However, a malicious attacker could set a link's title attribute to www.google.com, but set the href value to www.evil-google.com. In this scenario, the hyperlink tooltip would suggest the destination URL is google.com, but clicking the link will actually take the user to evil-google.com.
The way Mozilla (and other email inbox application companies) have implemented hyperlink tooltips in their products exposes users to social engineering attacks.
Please feel free to reach out if you have further questions or comments.
Comment 1•7 months ago
|
||
I can't open the RTF file easily right now. Generally it's preferred to put details of what you're reporting in the bug rather than the attachment (which is more useful for testcases or patches).
For the webbrowser case, bug 229050 is relevant.
I don't really understand comment 0 without being able to see what's in the RTF file - the destination of real links is shown in the status bar in Thunderbird (at the bottom). I don't see any tooltips for links at all, so nothing is being "overwritten".
Sorry! I'm really new to this so thank you for your patience. I'll put the most relevant details in this comment. The RTF file will have pictures and potential mitigation strategies. If more detail is needed I can fully transcribe the RTF file as a markdown comment or whatever is most helpful.
I also know this is kind of a weird thing to report and maybe not necessarily a bug, but as I will discuss it definitely has implications for user cybersecurity.
Reproducibility
I am able to reproduce this behavior at will using the following steps.
Steps to reproduce
- Create a complete HTML document that includes an anchor tag with a mismatched title and href. For instance:
<a title="https://www.google.com" href="https://www.amazon.com">https://www.google.com</a>
Note that the title attribute and inner HTML are Google's homepage, but the href value is Amazon's homepage. This means when a user hovers over this link, the tooltip will display the Google address, but when they click they will be taken to Amazon. The status bar will correctly display Amazon's home page.
-
Open the HTML document in a web browser.
-
Embed the copied HTML elements from the web browser by pasting them into an new email in Thunderbird.
Expected Result
Common anti-phishing advice in emails suggests to hover over a hyperlink and check the tooltip to uncover a link's true destination URL. In this case, when a user hovers over an email with the above anchor tag, they would expect the tooltip to say https://www.amazon.com
(the href value). While modern email users may not expect a tooltip over every hyperlink or otherwise clickable element, users almost certainly do not expect that a hyperlink tooltip might display the wrong destination URL.
Observed Result
An email that has the above HTML code embedded within it will display the text https://www.google.com
. When hovering over the link, the hyperlink tooltip that appears displays the text https://www.google.com
. However clicking on the link will take the user to Amazon. While this is a benign example, the href value could just as easily be a malicious website such as https://www.evil-google.com
.
Consequences
Use of this vulnerability may deceive even IT professionals well-trained in anti-phishing strategies. This is particularly true since a common piece of anti-phishing advice is to check the hyperlink tooltip to identify a hyperlink's destination URL [1, 2].
References
-
Dawkins, Shanee, and Jody Jacobs. 2023. “NIST Phish Scale User Guide.” NIST TN 2276. Gaithersburg, MD: National Institute of Standards and Technology (U.S.). https://doi.org/10.6028/NIST.TN.2276.
-
Microsoft Support. n.d. “Protect Yourself from Phishing.” Accessed June 19, 2024. https://support.microsoft.com/en-us/windows/protect-yourself-from-phishing-0c7ea947-ba98-3bd9-7184-430e1f860a44.
Comment 3•6 months ago
|
||
Thanks for the report, but I don't think there's much cause of action here.
IF there's a mismatch of host for a link vs its actual href, upon clicking the link Thunderbird will ask you what to do in that case. Randomly relying on information in a tooltip when the actual text correctly says where it's actually going seems like an odd thing.
Comment 4•6 months ago
|
||
(In reply to Magnus Melin [:mkmelin] from comment #3)
IF there's a mismatch of host for a link vs its actual href, upon clicking the link Thunderbird will ask you what to do in that case.
I just tested, and I confirm this behavior. Thunderbird displays a warning, explaining the mismatch, and asking for a confirmation for following the link.
I agree this provides sufficient protection.
Updated•6 months ago
|
Description
•