Closed Bug 342157 Opened 15 years ago Closed 15 years ago

status bar shows one url, but clicking goes somewhere else

Categories

(Core :: Security, defect)

x86
Windows XP
defect
Not set
normal

Tracking

()

RESOLVED WORKSFORME

People

(Reporter: kae, Assigned: dveditz)

References

()

Details

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.4) Gecko/20060508 Firefox/1.5.0.4
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.4) Gecko/20060508 Firefox/1.5.0.4

The example URL contains code I received in a phishing email. The code creates a form targeted to one place, with the submit button contained in a link which points to a safe place.

This one nearly caught me - hovering the mouse over the "link" showed a safe URL in the status bar. Right-click, Copy on the link also yielded the safe URL.
  However, the intention of the code is that a click will make the browser open in an unsafe area.

Now, while Firefox follows the link instead of the form, it is still a little unsettling. I get the feeling that it wouldn't be too large a step to go from there to following the form.

I wonder, would it be possible to make submission inputs show their targets in the status bar? Especially if they're contained in a link.

Reproducible: Always

Steps to Reproduce:
1. go to the example url
2. hover over the "link"
3. read the source

Actual Results:  
safe url is shown in status bar

Expected Results:  
a warning showing that there could be a possible phishing attack going on.

If I read the HTML 4.01 DTD right, then form controls are allowed within links. I think this may be a mistake. My personal opinion on this is that the browser should not allow an input to become a link, and should show the form target instead of the link target in the status bar.
WORKSFORME

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1a3) Gecko/20060618 BonEcho/2.0a3 ID:2006061804
The link works for me, too, in both Firefox and Thunderbird: status bar says paypal, clicking takes me to paypal rather than submitting the form.

We have fixed similar nested-link bugs in the past, though, so it's possible this phish was targetted at older versions, or more likely MS Outlook/IE.

There's a Firefox extension that displays the target of form submits. Don't think anyone has adapted it to Thunderbird, though.
Status: UNCONFIRMED → RESOLVED
Closed: 15 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.