onmousedown or onmouseup can spoof href in status bar by rewriting href link in the middle of a click




12 years ago
12 years ago


(Reporter: Jim, Unassigned)


Firefox Tracking Flags

(Not tracked)




(1 attachment)



12 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv: Gecko/20060426 Firefox/
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv: Gecko/20060426 Firefox/

onmousedown or onmouseup can spoof and rewrite the href of an anchor link in the middle of a click, so onhover the status bar displays one url based on the initial href, but by the time you finish your click the href is set to another value and you navigate there instead.

What is wrong with Firefox (and other browsers likely affected) is that the status bar tells the user only partial info about a link.  Because of this spoof, you cannot trust the status bar.  Perhaps for links with onclick/onmouse events, the status bar should read "http://thelink.com   Note: Clicking this link will also run potentially insecure javascript code."  A whitelist might exclude certain trusted sites.

Also, in the same spirit of "Allow javascript to change status bar text" a config option should be available to prevent javascript from rewriting href's.

Reproducible: Always

Steps to Reproduce:
1. Search for "yahoo" at google.com
2. Hover over the first search result, observing the status bar text "http://yahoo.com".
3. Examine the page source, verifying the href = "http://yahoo.com".
4. Now, click that first search result but do not release the mouse button. Observe the new status bar text showing a google tracking link.
5. Drag your mouse cursor away from the link, then release the click.
6. Now view the changed page source, and notice the href in the result link has been rewritten.
Actual Results:  
The user is navigated to a google forwarding page, which then forwards the user to http://yahoo.com

Expected Results:  
The status bar should tell the user that the link currently points to http://yahoo.com BUT WILL ALSO execute potentially insecure javascript onmousedown.

Or, even before clicking, firefox should follow the function and make the status bar indicate that the link will actually take the user to http://google.com/url?sa=t&ct=res&c...{long tracking and forwarding link}...

I do not consider this a confidential security problem, because google itself uses it in plain sight (rwt function in their search results source code), and because it is not unique to the Mozilla browser.

Comment 1

12 years ago
Created attachment 222524 [details]
Sample HTML file using onmousedown and onmouseup to rewrite a URL href mid-click.

*** This bug has been marked as a duplicate of 229050 ***
Last Resolved: 12 years ago
Component: Safe Browsing → General
QA Contact: safe.browsing → general
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.