False links can spoof the user.

RESOLVED DUPLICATE of bug 257307

Status

()

Firefox
General
--
major
RESOLVED DUPLICATE of bug 257307
13 years ago
13 years ago

People

(Reporter: Marc Chamberlin, Assigned: Blake Ross)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

13 years ago
User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5) Gecko/20041109 Firefox/1.0
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5) Gecko/20041109 Firefox/1.0

I hope a few of the developers for Netscape, Mozilla, Firefox, and Thunderbird
are reading this because I am a bit angry that I have to think of this for you.

There is a simple security fix that OUGHT to be in every browser and email
handler and it is this. IF A LINK URL IS GIVEN IN THE DOCUMENT THAT DESCRIBES
ONE URL WHILE ACTUALLY POINTING TO A DIFFERENT URL, THE USER OUGHT TO SEE A BIG
RED POPUP SAYING "DANGER DANGER WILL ROBINSON!"

So for example if the html code is something like -

<a href="www.somesleazebag.com">www.somerealplace.com</a>

it should be very simple to catch this type of spoofing and give the poor user a
heads up warning! AND this should be the default behaviour if you want to make
it a user settable option.

I am seeing a lot of email that trys to sucker the poor users into giving up
vital information by pretending to be coming from a legitimate place, then
actually redirecting them to a website that pretends to be that site and thus
gain access to vital information. Sites like PayPals and EBay are prime
examples. I get a lot of junk email trying to claim I must update my account
information of some such at PayPals. I am an engineer so I know to check links
before using them, BUT YOUR AVERAGE USER DOES NOT!!!!.

Expecting the average user to be aware of such redirection attempts is WAY
BEYOND their capabilities! MOST USERS DO NOT HAVE A CLUE HOW LINKING EVEN WORKS!
PERIOD! This is a place where you developers need to design your software for
users, NOT for other engineers and computer scientists!


Reproducible: Always



Expected Results:  
I expect a big loud warning to pop up saying the URL may be a spoof!

Comment 1

13 years ago
This is just a simple (non JS) variant of bug 257307, marking as DUP.

*** This bug has been marked as a duplicate of 257307 ***
Status: UNCONFIRMED → RESOLVED
Last Resolved: 13 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.