I thought this was sensationalist the last time it came up, and I still do.
This is an attack which targets people who are carefully checking the link URL before clicking, but who then ignore the actual content of their URL bar. That has to be a pretty limited group, right? And this is far from the only way to spoof a link in JavaScript, so to really make this impossible would mean disabling swaths of functionality used widely across the web, i.e. not gonna happen.[0]
And it's counterproductive. Since the birth of the web we've been trying to drill into people's skulls not to trust anything except what it says in your URL bar after "https:". We need to avoid anything that would give users any other impression.
That said, there is a useful message here, not "this is a problem with JavaScript" but "this is another reason you must personally validate the domain name before entering any personal information."
[0] On a large scale, that is. Obviously some people here are comfortable with disabling swaths of JavaScript across the web.
It can be used to lead you to a page that exploits the browser, before you realize you're not on the expected site.
There are, most of the time, undisclosed zero day attacks in the wild, for most browsers and plugins.
I should add that I check the URL bar when I enter information, but not always when I browse casually. I always check the target of links, though, and this could trick me.
I wouldn't be surprised if some users never read the URL bar... people who can't tell a browser from a search engine, for example.
The danger of this, is not (IMO) people inserting personal data or financial data on the end page (which would be avoided by paying attention to the URL bar), but in targeted attacks where the page serves up a IE/Flash/Java exploit compromising the users machine. At this point it doesn't matter what the end result is, as the damage is done. Also, an attacker can simply redirect to to the orig page/target after exploitation in such a way that the majority of casual users wouldn't notice, as there is no user interaction at the end.
Example a link to an article or PDF report of interest is Hijacked via this method (where the hover is correct but actual target is malicious) the user quickly hits the exploit site and is compromised/malware dropped while the exploit site displays a splash page of some sort briefly, it then forwards to the orig. destination.
I don't see the majority of non paranoid users detecting this, even if they are in the right mindset, as they end up at the proper site with nothing more than quick, and now ubiquitous, splash/ad page in between.
EDIT: I'm not necessarily advocating any change, this behavior can be tracked and blocked in a properly secured infrastructure, but this is where I see the potential for harm.
>Since the birth of the web we've been trying to drill into people's skulls not to trust anything except what it says in your URL bar after "https:".
While perhaps this should be true, I don't think it is. I don't recall any internet instruction manual advising people to check the domain and browsers don't exactly emphasize the domain.
It was purely gathering thoughts to what I consider a flaw. Sure, it's not the only way to do it -- but this is it in it's simplest form.
False redirections is the principle. I'm not sure how to fully eradicate it in that sense, but I think to bring attention to the possibility is somewhat beneficial rather than sensationalist.
The only reason that I don't like it isn't for attacks, but for undisclosed affiliate schemes. Even if I'm watching my address bar once I get there I may have been 301'd before I could notice the bar changing.
While this should probably be fixed as prescribed by the author, it's relatively easy for a no-goodnik to accomplish the same goal without touch the href:
I think this is an important point. The fact that you can change the href after the click is irrelevant because there are other (just as easy) ways to change where the link will be taking the user. If malicious javascript is being run on your page, THAT is your problem, not the href switch.
Thus You cannot just "warn users if the location of a link changes to a different domain after they click on it".
That said, this is probably a "wontfix".
Also, nowadays, the whole purpose of SSL certificates is actually doomed due to the "growth" - that is, rogue business people for profit without actual verification.
In the beginning, one needed to fax in whole incorporation certificates and the like.
Now, it is just like You pay for it, then maybe They phone You, maybe not.
If a malicious hacker can insert some script in a trusted page, security is pretty much completly broken and you have other worries. The fact that you can make links in this page point to other malicious pages seems like a small problems as most people won't even check the domain before clicking the link.
I would think that some users are most likely to check the address bar after clicking the link. But my dad would probably woudn't see anything.
With relative ease, you can build websites with a cheap $10 SSL that can impose to be a PayPal page. JavaScript can provide phishing and accessing cookies, but beyond that, I'm not really sure what else it can offer.
It may be simple code, but I think the title of the post explained that.
you kidding right? while we have real world problems (URL detections, cookies etc check homakov.blogspot.com) you ask w3c to do what? To deny redirecting to other websites and changing href after click? I can tell you more horror JS tricks, but they are not fixed yet.
I work on the IE team at Microsoft, and I really don't think this is an exploit. If you can control the script for the click event, then you already have control of the page and can do worse (think: cross-site scripting). In this case, if you browse to my site and I'm a bad guy and want to send you to evil.com, I'd just craft a page that makes you think the whole page is honorable, rather than hope you click on a link. In other words, anyone who can hack the click event already owns you.
I'm very happy to reassess if you have an example where you do not control the content of the page, but somehow still control the content of the click. That would be really serious and worth fixing.
-John Jansen
Principal Test Lead
Internet Explorer
Your logic is flawed for bots that parse and render the pages. I have ran a small blog that I hand wrote from scratch and in the process found that around 4 years ago any phishing/spamming/harvesting bot worth it's salt will render the pages leaving these types of clever fix hacks useless.
In addition to countless other oversights, setTimeout would not work as you suggested in the post as the page would be unloaded before it ever executed. And, as others have already mentioned, there are numerous other ways to accomplish the exact same effect with 'more legitimate' methods (e.g. event.preventDefault(); window.location = ...).
Various browsers such as Chrome will warn/block you from visiting known malicious sites, but it comes down to being aware of where you are before entering personal information.
I think a better proposal might be getting browsers to warn users if the url they are visiting is sufficiently different from the original href attribute (i.e. different host). Something like this could easily be done with a browser extension (and could handle more cases such as preventDefault + window.location = ...).
Firefox 21 (Aurora), I got sent to PayPal - just realized that I had NoScript on, though. Allowed scripts for bilaw.al, tried again, and I got sent to the dummy page.
I got sent to the dummy page on Opera 12.13 and Chrome 25. Just updated to Opera 12.14 and I still got sent to the dummy page. Running Windows 7.
You can set up a span with a style that has a link-like look (color, underline), use "cursor:pointer" in the style to make the pointer turn to a hand over it. Use a mouseover/out event catcher to trigger a tooltip that mimics the mouseover behavior on links, then capture the click event on the span to send the user to another page.
You can use JavaScript to swap out all the links for spans like these.
If you're on a site that's using intentionally deceptive JavaScript or getting malicious JavaScript injected, whether or not links go where you think they will is the least of your problems.
I just tried clicking your "Paypal" link in Chrome 25, Firefox 19, and IE9. All of them allowed the href to change and went to what could have been the phishing site. Then I went back and tried right-clicking the "Paypal" link and open in a new tab. All 3 browsers went to Paypal.
I like your suggestion to have behavior changed so the browsers don't allow the href to be changed to another domain without warning the user. Until that happens, maybe opening links in a new tab (or window) is a good practice.
The reason for onclick is exactly the mentioned "problem".
I use <a> tags to show them as links, but without reference, only with onclick events to load the actual request.
So if any browser manufacturer tries to kill this behaviour (like x-site scripting bullshit) the world will go oom...
So, if you do not like the javascript events -> disable javascript interpreter in your browser!
It would make more sense to kill IE, ActiveX, Flash and Java-Plugins...
right click open in new tab takes you to the original link. So this must be done in session or something and the alt-open in next tab take the plain link URL?
By doing right-click and "Open link in new tab", there's no actual onclick event, as what you're actually doing is opening the original link in a new tab. Therefore, his href replacing code wouldn't get executed.
So did you just discovered DOM manipulation with JavaScript ? What would a browser fix be like in your opinion ? Disallow JavaScript to add event listeners and/or modify Node properties ?
Google Analytics hooks on links to track clicks and exit pages and so on. Would you really enjoy an alert every time you click on something ?
I am amazed how you people come up with crap like this.
I dislike loggin in to sites that I have been referred to by other sites in general. Not sure if there is a solution for paypal? Like getting an transaction id from a shop, then logging on to PayPal and paying that transaction id?
Might be something worthwhile to provide a solution for (possibly even a valid use case for QR codes - pay with phone on a web site)? But then, not many people will care, I suspect :-/
I noticed that at least one other person suggested opening the link in a new tab. This seems to defeat this hack in Chrome and IE 9. It probably defeates it in all browsers, since the new tab is in a different context than where the javascript is being executed and therefore can not be redirected by the javascript.
Fun fact: On Chrome, Opening the link in a new tab does not redirect to the phishing site. However, normal clicking does. Context changing seems to make this work, as chrome delegates the href to a new process, and does not execute the JS embed.
This may be the dumbest blog post I've ever read. The fact that this is possible (and necessary) speaks more to the general glacial nature of the HTML standards and JS to provide the functionality we expect of our web apps.
Right clicking the link and choosing "Open in new tab" with Chrome does not execute the JavaScript. This is good and bad. Good because it solves your problem, bad because it makes the link unpredictable.
[+] [-] Cushman|13 years ago|reply
This is an attack which targets people who are carefully checking the link URL before clicking, but who then ignore the actual content of their URL bar. That has to be a pretty limited group, right? And this is far from the only way to spoof a link in JavaScript, so to really make this impossible would mean disabling swaths of functionality used widely across the web, i.e. not gonna happen.[0]
And it's counterproductive. Since the birth of the web we've been trying to drill into people's skulls not to trust anything except what it says in your URL bar after "https:". We need to avoid anything that would give users any other impression.
That said, there is a useful message here, not "this is a problem with JavaScript" but "this is another reason you must personally validate the domain name before entering any personal information."
[0] On a large scale, that is. Obviously some people here are comfortable with disabling swaths of JavaScript across the web.
[+] [-] pygy_|13 years ago|reply
There are, most of the time, undisclosed zero day attacks in the wild, for most browsers and plugins.
I should add that I check the URL bar when I enter information, but not always when I browse casually. I always check the target of links, though, and this could trick me.
I wouldn't be surprised if some users never read the URL bar... people who can't tell a browser from a search engine, for example.
[+] [-] cjc1083|13 years ago|reply
Example a link to an article or PDF report of interest is Hijacked via this method (where the hover is correct but actual target is malicious) the user quickly hits the exploit site and is compromised/malware dropped while the exploit site displays a splash page of some sort briefly, it then forwards to the orig. destination.
I don't see the majority of non paranoid users detecting this, even if they are in the right mindset, as they end up at the proper site with nothing more than quick, and now ubiquitous, splash/ad page in between.
EDIT: I'm not necessarily advocating any change, this behavior can be tracked and blocked in a properly secured infrastructure, but this is where I see the potential for harm.
[+] [-] aneth4|13 years ago|reply
While perhaps this should be true, I don't think it is. I don't recall any internet instruction manual advising people to check the domain and browsers don't exactly emphasize the domain.
[+] [-] bilawal|13 years ago|reply
False redirections is the principle. I'm not sure how to fully eradicate it in that sense, but I think to bring attention to the possibility is somewhat beneficial rather than sensationalist.
[+] [-] 3pt14159|13 years ago|reply
Not that bad, but still kinda sucky.
[+] [-] lukifer|13 years ago|reply
[+] [-] devinblais|13 years ago|reply
[+] [-] victorcsiky|13 years ago|reply
Thus You cannot just "warn users if the location of a link changes to a different domain after they click on it".
That said, this is probably a "wontfix".
Also, nowadays, the whole purpose of SSL certificates is actually doomed due to the "growth" - that is, rogue business people for profit without actual verification. In the beginning, one needed to fax in whole incorporation certificates and the like. Now, it is just like You pay for it, then maybe They phone You, maybe not.
[+] [-] batiste|13 years ago|reply
If a malicious hacker can insert some script in a trusted page, security is pretty much completly broken and you have other worries. The fact that you can make links in this page point to other malicious pages seems like a small problems as most people won't even check the domain before clicking the link.
I would think that some users are most likely to check the address bar after clicking the link. But my dad would probably woudn't see anything.
[+] [-] bilawal|13 years ago|reply
It may be simple code, but I think the title of the post explained that.
[+] [-] karolisd|13 years ago|reply
[+] [-] bilawal|13 years ago|reply
[+] [-] homakov|13 years ago|reply
[+] [-] unknown|13 years ago|reply
[deleted]
[+] [-] homakov|13 years ago|reply
[+] [-] johnjansen|13 years ago|reply
I'm very happy to reassess if you have an example where you do not control the content of the page, but somehow still control the content of the click. That would be really serious and worth fixing.
-John Jansen Principal Test Lead Internet Explorer
[+] [-] mojuba|13 years ago|reply
[+] [-] SmartWebPerson|13 years ago|reply
[+] [-] jvatic|13 years ago|reply
Various browsers such as Chrome will warn/block you from visiting known malicious sites, but it comes down to being aware of where you are before entering personal information.
I think a better proposal might be getting browsers to warn users if the url they are visiting is sufficiently different from the original href attribute (i.e. different host). Something like this could easily be done with a browser extension (and could handle more cases such as preventDefault + window.location = ...).
[+] [-] enigmango|13 years ago|reply
I got sent to the dummy page on Opera 12.13 and Chrome 25. Just updated to Opera 12.14 and I still got sent to the dummy page. Running Windows 7.
[+] [-] burgerguyg|13 years ago|reply
You can use JavaScript to swap out all the links for spans like these.
If you're on a site that's using intentionally deceptive JavaScript or getting malicious JavaScript injected, whether or not links go where you think they will is the least of your problems.
[+] [-] DPLeo|13 years ago|reply
I like your suggestion to have behavior changed so the browsers don't allow the href to be changed to another domain without warning the user. Until that happens, maybe opening links in a new tab (or window) is a good practice.
Enjoy!
[+] [-] Xeno22|13 years ago|reply
So, if you do not like the javascript events -> disable javascript interpreter in your browser!
It would make more sense to kill IE, ActiveX, Flash and Java-Plugins...
[+] [-] dougaitken|13 years ago|reply
[+] [-] vitobcn|13 years ago|reply
[+] [-] cthackers|13 years ago|reply
Google Analytics hooks on links to track clicks and exit pages and so on. Would you really enjoy an alert every time you click on something ? I am amazed how you people come up with crap like this.
Enjoy your 5 minutes of traffic while they last
[+] [-] Tichy|13 years ago|reply
Might be something worthwhile to provide a solution for (possibly even a valid use case for QR codes - pay with phone on a web site)? But then, not many people will care, I suspect :-/
[+] [-] bjazmoore|13 years ago|reply
[+] [-] bilawal|13 years ago|reply
[+] [-] Tarlach|13 years ago|reply
[+] [-] imack|13 years ago|reply
[+] [-] bpicolo|13 years ago|reply
Do you have scripts disabled? Because it wouldn't work in that case.
[+] [-] RenierZA|13 years ago|reply
[+] [-] bilawal|13 years ago|reply
[+] [-] dougaitken|13 years ago|reply
[+] [-] arjeezyboom|13 years ago|reply
[+] [-] adamzr86|13 years ago|reply