Closed Bug 359298 Opened 19 years ago Closed 16 years ago

Shows an url in the statusbar, which is actually different from the one, which will be opened

Categories

(Toolkit :: Safe Browsing, defect)

Product:
Toolkit
Component:
Safe Browsing
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: benny, Unassigned)

Details

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.8.1) Gecko/20061010 Firefox/2.0 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.8.1) Gecko/20061010 Firefox/2.0 I don't know if this is a real phishing attack because you need javascript. But with this simple example you can modify an url while the user click on it. <a id="t1" href="http://www.mozilla.com" onclick="document.getElementById('t1').href = 'http://www.microsoft.com';">http://www.microsoft.com</a> Reproducible: Always Actual Results: microsoft.com will be opened.
This has been known about for a long time, and there's not much that can be done about it. But I don't see why it's a problem. What sort of person checks the status bar to see where he's going, but then doesn't look at the URL bar to see if he's got there? Can you come up with a plausible scenario where this might be dangerous? Gerv
This is the same problem I mentioned in bug 83578 comment 17. I don't think we can do much about it, but the suggestion in bug 229050 might be worth looking into. > What sort of person checks the status bar to see where he's going, but then > doesn't look at the URL bar to see if he's got there? Someone who doesn't know that the status bar link target information is not as trustable as the address bar.
Group: security
> Can you come up with a plausible scenario where this might be dangerous? Someone post in a guestbook or a board where html is allowed. The attacker post a link like this: <a id="t1" href="http://www.youTube.com?a_good_video_very_funny" onclick="document.getElementById('t1').href = 'http://bad_hacker_site_with_viruses.com';">Funny YouTube Video!!!</a> Now the user see in the statusbar the link "http://www.youTube.com?a_good_video_very_funny" and think "well, youtube rocks! its trustworthy". He see the wrong link, if he clicked on it, but this could be to late...
Guestbooks and web boards that allow "onclick" event handlers are broken (vulnerable to XSS attacks), so that's not a good example.
Would it be possible to make the href attribute readonly while the link is focused or hovered?
OS: Windows XP → All
Hardware: PC → All
On account of Jesse and Gerv, there isn't much we can do and the conversation has pretty much died. I'm going to move this to WontFix unless someone has something else to say.
Status: UNCONFIRMED → RESOLVED
Closed: 16 years ago
Resolution: --- → WONTFIX
Product: Firefox → Toolkit
You need to log in before you can comment on or make changes to this bug.