Insert link facilitates phishing attacks
coyo at darkdna.net
Wed Nov 20 19:59:18 EST 2013
He's got a point. It wouldn't exactly be a breaking change to silently
change the anchor's target to the link in the description. descriptions
such as "click here" are legitimate, but if "twitter.com" links to
something that isn't "twitter.com/intent/follow" or something within the
same domain, I can't think of any legitimate use cases that would break
if this were filtered.
On 11/19/2013 03:19 PM, Gasper Zejn wrote:
> I'm not saying there isn't a legitimate use case for having a text lead to a
> remote URL. But how many legitimate use cases are there really for having a
> link description in a form of a URL, especially when the link URL differs from
> description URL?
> Tooltips help, but then again some protocols do not even allow for such rich
> content, eg. IRC. So just by switching protocols you are now in a greater
> danger and an old habit of trusting displayed content (WYSIWYG) makes you
> vulnerable without even realizing until you get burned once.
> Kind regards,
> Gašper Žejn
> Dne Sreda, 20. novembra 2013 ob 01:50:48 je Ashish Gupta napisal(a):
>> Even though a person can abuse hyperlinks in all applications that support
>> it, maybe it's not that bad an idea being safe.
>> Say A sends to B a link :
>> Disguised as
>> The security check could then follow the WYSIWIG approach and always open
>> the link visible instead of whatever is contained in the URL.
>> If a user is dumb enough to click it, he or she might as well get infected
>> with malware if it's a bad link. But other than that , if it's a bad link
>> concealed as a good one, just stick to the good one.
>> And yeah. Tooltips help.
>> - Ashish
>> On 11/19/2013 4:18 AM Gasper Zejn <zejn at kiberpipa.org> said unto
>> devel at pidgin.im:
>> Pidgin's feature insert link can be used to launch a phishing attack, see
>>> attached image.
>>> By inserting a link into description link, you can fool a more
>>> person thinking he is clicking a link to page A, when in fact the link
>>> take him to page B.
>>> kind regards,
>>> Gašper Žejn
>>> Just like every other application in the history or hyperlinks? You can
>> do the same in nearly every email client, word, every website, every other
>> chat client I've ever used...
>> I can understand the concern but it's not really something that can be
>> done, especially since even if this is removed, the person could then use a
>> link shortener to hide the malicious content still...
>>> Devel mailing list
>>> Devel at pidgin.im
>> Devel mailing list
>> Devel at pidgin.im
> Devel mailing list
> Devel at pidgin.im
More information about the Devel