The trick behind camouflaged links
Contributed by: Email on 03/22/2013 11:11 AM
[
Comments
]
By using java script , links can be modified in such a way that even the most attentive user will not notice anything amiss. This can be exploited by attackers to poison links and lure users to web pages which they had no intention of visiting. Blogger and developer Bilawal Hameed, who discovered the vulnerability, describes it as a new tool for phishers.
Even the mouse-over test fails to uncover the subterfuge, as the link, which appears in the source code as continues to be displayed when the cursor hovers over it. Clicking on it however, triggers an onclick event, which utilizes java script to divert the user to an alternative URL.
Just a few lines of code are required to implement this subterfuge:
var links = document.links;
for(i in links) {
links.onclick = function(){
this.href = 'http://bit.ly/141nisR';
};
}
Embedding the script is child's play. Hameed has therefore informed Mozilla (and other browser makers) of his discovery, but has yet to receive a response. Google is, according to "internet rumors", already working on a fix. Opera is currently the only browser where this trick doesn't work.
Hameed has suggested warning users when the location of a link changes to another domain after being clicked. Until the vulnerability has been fixed, users should check that they really do end up on the advertised domain. Hameed initially suggested that the W3C disable the ability for the href attribute to be changed after an onclick event, but as sites like Google and Facebook actually use the capability, he has since withdrawn that suggestion and gone with the idea of warning users of link changes.
Even the mouse-over test fails to uncover the subterfuge, as the link, which appears in the source code as continues to be displayed when the cursor hovers over it. Clicking on it however, triggers an onclick event, which utilizes java script to divert the user to an alternative URL.
Just a few lines of code are required to implement this subterfuge:
var links = document.links;
for(i in links) {
links.onclick = function(){
this.href = 'http://bit.ly/141nisR';
};
}
Embedding the script is child's play. Hameed has therefore informed Mozilla (and other browser makers) of his discovery, but has yet to receive a response. Google is, according to "internet rumors", already working on a fix. Opera is currently the only browser where this trick doesn't work.
Hameed has suggested warning users when the location of a link changes to another domain after being clicked. Until the vulnerability has been fixed, users should check that they really do end up on the advertised domain. Hameed initially suggested that the W3C disable the ability for the href attribute to be changed after an onclick event, but as sites like Google and Facebook actually use the capability, he has since withdrawn that suggestion and gone with the idea of warning users of link changes.
Comments
