Security risk: The trick behind camouflaged links

[Little John]

News: The trick behind camouflaged links
http://www.h-online.com/security/news/i ... 28927.html

[Mohawk70]

I came across a more informative article a few weeks ago
http://css.dzone.com/articles/htmls-black-sheep-element

[luis]

Nice.

anyway from the test page -> http://bilaw.al/2013/03/17/hacking-the- ... cters.html

selecting "open the link in a new window" or "new tab" you end up on the page referenced in the link, PayPal, bypassing the OnClick() and its javascript.

[Little John]

I came across a more informative article a few weeks ago

Oh well, there are so many "more informative articles" about different topics on the web ...
But the topic in this thread is the vulnerability that was recently discovered by Bilawal Hameed.

[Little John]

Nice.

anyway from the test page -> http://bilaw.al/2013/03/17/hacking-the- ... cters.html

selecting "open the link in a new window" or "new tab" you end up on the page referenced in the link, PayPal, bypassing the OnClick() and its javascript.

Interesting, thanks for the tip!
However, a malicious web page could additionally just disallow right-click, couldn't it?

[MachineCode]

The original article (http://bilaw.al/2013/03/17/hacking-the- ... cters.html) has this link in it -> "This link should take you to PayPal." When I hover the mouse over it, Firefox's status bar shows "www.paypal.co.uk". But when I click the link, it does indeed take me to PayPal, as expected. The article claims only Opera is immune, but obviously Firefox is, too (I'm using 18.0). IE 9 fails and redirects to a non-PayPal site.

The problem with this sort of exploit is that the browser is expected to parse every line of JavaScript to mind-read (or second guess) the intended destination. Just because the DESCRIPTION says it's going to PayPal, doesn't mean the LINK actually has to! So we end up with browsers becoming bloated and acting like virus-scanners, constantly trying to read the link's mind when it shouldn't. We, as end users, are the ones that suffer.

[Mohawk70]

The article claims only Opera is immune, but obviously Firefox is, too (I'm using 18.0). IE 9 fails and redirects to a non-PayPal site.

Also from the same article

Embedding the script is child's play. Hameed has therefore informed Mozilla (and other browser makers) of his discovery, but has yet to receive a response. Google is, according to "internet rumours", already working on a fix. Opera is currently the only browser where this trick doesn't work.

[Little John]

The article claims only Opera is immune, but obviously Firefox is, too (I'm using 18.0).

This is interesting. The current Firefox version 19.0.2 is not immune (tested on Windows XP).

[Lord]

The article claims only Opera is immune, but obviously Firefox is, too (I'm using 18.0).

This is interesting. The current Firefox version 19.0.2 is not immune (tested on Windows XP).

Just disable JavaScript.
As I run NoScript, I always explore a web site with JavaScript off
and switch Script on only if really needed.

[c4s]

However, a malicious web page could additionally just disallow right-click, couldn't it?

You can also open it via middle-click. I'm used to open every link that way.

The current Firefox version 19.0.2 is not immune (tested on Windows XP).

I can confirm that... Previous versions aren't immune either. It most likely works because in that case JavaScript was disabled.

Just disable JavaScript. [...]

What a bad idea. Nowadays JavaScript isn't something to play around with as it used to be years ago: Nearly every "up to date" website depends on it for styling purposes, to allow certain functionality etc.

[Lord]

...

Just disable JavaScript. [...]

What a bad idea. Nowadays JavaScript isn't something to play around with as it used to be years ago: Nearly every "up to date" website depends on it for styling purposes, to allow certain functionality etc.

It works for me. I decide which site I can trust.
If you trust all sites: leave script on.

[SFSxOI]

I'm amazed you folks, and others on the 'net, are just finding out about this. I warned about this months ago when we finished our testing here, and its been all over the internet for months. The long and short of it is if you have java installed you are vulnerable, no matter the browser used even if it does seem to not be affected by the very simple unsophisticated 'test' in the link given.

The article claims only Opera is immune, but obviously Firefox is, too (I'm using 18.0).

This is interesting. The current Firefox version 19.0.2 is not immune (tested on Windows XP).

Actually, no browser is immune. That simple test is no where near the sophistication of the exploits of Java out there. Chances are most of you have actually visited a Java exploit link just by viewing a web page with an exploited link on it, or a web page with a link on it that pointed to another web page with an exploited link on it, without even clicking the exploited link or the link to the other web page and did not even realize it. It may not have installed any malware silently without you being aware of it, but you probably added to some clicks for pay somewhere at the very minimum for a bot net without realizing it.

[Little John]

The long and short of it is if you have java installed you are vulnerable, no matter the browser used

The problem here is caused by JavaScript, not by Java.

[SFSxOI]

The long and short of it is if you have java installed you are vulnerable, no matter the browser used

The problem here is caused by JavaScript, not by Java.

Hmmm... no....the problem is caused by Java being installed, period. You are just seeing one aspect of how it can be exploited that's all.

We do this professionally, contract to investigate these things for major companies and governments and develop counter measures. The counter measure here is to uninstall Java or at least turn it off. Even with the 'security fixes' for java that have been put out it still remains vulnerable. The internet is a very hostile environment, if its something that touches the internet that can be exploited its a pretty good chance it has been exploited even if not made public yet. For example, Oracle knew about this almost a year ago but said nothing.

[luis]

Interesting, thanks for the tip!
However, a malicious web page could additionally just disallow right-click, couldn't it?

Certainly, you see that often in "normal" web sites when they fear you can stole something from them using "save as".
A site which does that with the clear intention of limit the browser functionality is no better then a malware IMO. And rub me the wrong way.
So, if the "open in another tab/window" does not work, this should ring a small alarm bell and you can leave the site in disgust or if you are really curios you can disable javascript and continue for what it's possible.
The idea should be: you browse relaxed (never completely, this is the real world) on a well known site you trust, and when visiting a dubious site you switch mind and start to double check what you do, inspect the links, inspect the source and so on.

Anyway, the "open in another tab/window" is something even a normal user without any particular knowledge can keep in his back of tricks, and can help in this case. So it's nice to know I think.