Closed Bug 342157 Opened 19 years ago Closed 19 years ago

status bar shows one url, but clicking goes somewhere else

Categories

(Core :: Security, defect)

Product:
Core
Component:
Security
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: kae, Assigned: dveditz)

References

(
URL
)

Details

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.4) Gecko/20060508 Firefox/1.5.0.4 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.4) Gecko/20060508 Firefox/1.5.0.4 The example URL contains code I received in a phishing email. The code creates a form targeted to one place, with the submit button contained in a link which points to a safe place. This one nearly caught me - hovering the mouse over the "link" showed a safe URL in the status bar. Right-click, Copy on the link also yielded the safe URL. However, the intention of the code is that a click will make the browser open in an unsafe area. Now, while Firefox follows the link instead of the form, it is still a little unsettling. I get the feeling that it wouldn't be too large a step to go from there to following the form. I wonder, would it be possible to make submission inputs show their targets in the status bar? Especially if they're contained in a link. Reproducible: Always Steps to Reproduce: 1. go to the example url 2. hover over the "link" 3. read the source Actual Results: safe url is shown in status bar Expected Results: a warning showing that there could be a possible phishing attack going on. If I read the HTML 4.01 DTD right, then form controls are allowed within links. I think this may be a mistake. My personal opinion on this is that the browser should not allow an input to become a link, and should show the form target instead of the link target in the status bar.
WORKSFORME Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1a3) Gecko/20060618 BonEcho/2.0a3 ID:2006061804
The link works for me, too, in both Firefox and Thunderbird: status bar says paypal, clicking takes me to paypal rather than submitting the form. We have fixed similar nested-link bugs in the past, though, so it's possible this phish was targetted at older versions, or more likely MS Outlook/IE. There's a Firefox extension that displays the target of form submits. Don't think anyone has adapted it to Thunderbird, though.
Status: UNCONFIRMED → RESOLVED
Closed: 19 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.