Closed Bug 342157 Opened 15 years ago Closed 15 years ago
status bar shows one url, but clicking goes somewhere else
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:18.104.22.168) Gecko/20060508 Firefox/22.214.171.124 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:126.96.36.199) Gecko/20060508 Firefox/188.8.131.52 The example URL contains code I received in a phishing email. The code creates a form targeted to one place, with the submit button contained in a link which points to a safe place. This one nearly caught me - hovering the mouse over the "link" showed a safe URL in the status bar. Right-click, Copy on the link also yielded the safe URL. However, the intention of the code is that a click will make the browser open in an unsafe area. Now, while Firefox follows the link instead of the form, it is still a little unsettling. I get the feeling that it wouldn't be too large a step to go from there to following the form. I wonder, would it be possible to make submission inputs show their targets in the status bar? Especially if they're contained in a link. Reproducible: Always Steps to Reproduce: 1. go to the example url 2. hover over the "link" 3. read the source Actual Results: safe url is shown in status bar Expected Results: a warning showing that there could be a possible phishing attack going on. If I read the HTML 4.01 DTD right, then form controls are allowed within links. I think this may be a mistake. My personal opinion on this is that the browser should not allow an input to become a link, and should show the form target instead of the link target in the status bar.
WORKSFORME Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1a3) Gecko/20060618 BonEcho/2.0a3 ID:2006061804
The link works for me, too, in both Firefox and Thunderbird: status bar says paypal, clicking takes me to paypal rather than submitting the form. We have fixed similar nested-link bugs in the past, though, so it's possible this phish was targetted at older versions, or more likely MS Outlook/IE. There's a Firefox extension that displays the target of form submits. Don't think anyone has adapted it to Thunderbird, though.
Status: UNCONFIRMED → RESOLVED
Closed: 15 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.