I've noticed for a very long time that when you try to copy a link location or open a link on Facebook, it modifies the link and passes it through l.php.
For example, I can be sent to
.php?u=http%3A%2F%2Fwww.google%2F&h=DKVUritNDJDJLDLVbldoDLFKBLOD5dlfDJY_-d3fgDUaA9b
even though my browser render the link preview as /.
Today, I took a closer look using Firebug and found that Facebook puts onmousedown="UntrustedLink.bootstrap($(this)[...] in the <a> tag. The second I right clicked the link, I saw the href attribute change in Firebug.
This worries me.
The advice many of us have given to less tech-savvy people (check where the link is taking you before you click so that you don't bee a victim of phishing) now seems to have bee useless. Isn't this a security risk? Can't phishing websites misuse this?
Why don't browsers prevent this behavior either by disallowing onmousedown to change the href or by running the javascript before reading the href attribute, so that I am sent to the location I thought I going to, not the one change while I was clicking it?
Edit: I want to briefly emphasize that what bothers me more than the risk of phishing is that users are being misled and it simply feels wrong to me that this can happen, whether by a trusted source or not.
I've noticed for a very long time that when you try to copy a link location or open a link on Facebook, it modifies the link and passes it through l.php.
For example, I can be sent to
http://www.facebook./l.php?u=http%3A%2F%2Fwww.google.%2F&h=DKVUritNDJDJLDLVbldoDLFKBLOD5dlfDJY_-d3fgDUaA9b
even though my browser render the link preview as http://www.google./.
Today, I took a closer look using Firebug and found that Facebook puts onmousedown="UntrustedLink.bootstrap($(this)[...] in the <a> tag. The second I right clicked the link, I saw the href attribute change in Firebug.
This worries me.
The advice many of us have given to less tech-savvy people (check where the link is taking you before you click so that you don't bee a victim of phishing) now seems to have bee useless. Isn't this a security risk? Can't phishing websites misuse this?
Why don't browsers prevent this behavior either by disallowing onmousedown to change the href or by running the javascript before reading the href attribute, so that I am sent to the location I thought I going to, not the one change while I was clicking it?
Edit: I want to briefly emphasize that what bothers me more than the risk of phishing is that users are being misled and it simply feels wrong to me that this can happen, whether by a trusted source or not.
Share Improve this question edited Aug 26, 2011 at 15:06 MSalters 180k11 gold badges167 silver badges370 bronze badges asked Aug 26, 2011 at 14:10 UmangUmang 5,2662 gold badges26 silver badges24 bronze badges 2- 1 Having a limitation like this one will not solve anything. – Emil Ivanov Commented Aug 26, 2011 at 14:17
- 1 Onmousedown link changing is an incredibly annoying behavior as it makes it plicated to quickly paste links. That said, outgoing click tracking is important, so maybe the better solution would be if browsers supported a more transparent method of hijacking clicks. – Tgr Commented Aug 26, 2011 at 15:13
3 Answers
Reset to default 5I agree that there is potential here for phishing. This was reported as a bug in FireFox quite a long time ago, but the problem is this:
<body onmousedown="document.getElementById('changeMe').href='www.somewhereelse.'">
<a id="changeMe" href="www.google.">google</a>
</body>
Events bubble up to their parent, you would need to detect if an onmousedown event was going to change the href of a child element. Sounds reasonable? Okay, how about this:
<script>
function switcher() {
window.location = "www.somewhereelse.";
return false;
}
</script>
<body onmousedown="switcher()">
<a href="www.google.">google</a>
</body>
So we need to look out for window.location in functions triggered by onmousedown events as well. Still sound reasonable? How about if I have the onmousedown event remove the link altogether, replace it with a new element and then trigger the click on that. I can keep ing up with examples.
The point is, Javascript can be used to misdirect people using the status bar - you shouldn't trust it, you can only trust the URL.
To change this browsers would need to give the set href value on a link at the time of the click presidency over any other events that might happen, basically disable mouse events on anchor tags. I would venture to guess they probably won't do this, it would break too many applications that already exist.
Edit: Alternatively, I've seen people propose different methods of detecting and warning the user about possible link hijacking, but I've not seen any implemented yet.
The advice many of us have given to less tech-savvy people (check where the link is taking you before you click so that you don't bee a victim of phishing) now seems to have bee useless.
If by "check" you mean the link 'preview' browsers show at the bottom status bar then you are correct. That is not enough to check whether a link really goes where it claims to be going. For instance, running the jquery script below on a page will cause all link to go to google. regardless of what the actual href target of the link is:
$('a').click(function(evt){evt.preventDefault();window.location.href="http://google."})
Can't phishing websites misuse this?
Not really, because facebook is where the said javascript would have to be called from. The user has to go an untrusted source in the first place who would embed the javascript in the tag.