Insert link facilitates phishing attacks
elb at pidgin.im
Tue Nov 19 16:33:33 EST 2013
Mark Doliner spake unto us the following wisdom:
> Yeah, there are definitely things we could do to protect our users better.
> On Tue, Nov 19, 2013 at 12:20 PM, Ashish Gupta <ashmew2 at gmail.com> wrote:
> > The security check could then follow the WYSIWIG approach and always open
> > the link visible instead of whatever is contained in the URL.
> Or at least warn the user and ask which URL they want to open.
This seems very reasonable to me. If we check the link text and it's
also something that has a URL handler, and but differs from the
target, warn the user. My only concern is that there might be a
service that escapes entities in one but not the other, etc., causing
false positives -- but we can always try it and find out.
> We could also check links for malware and phishing using Google's Safe
> Browsing API and warn the user.
This I do not support, at least without an option that defaults to
off. (Perhaps with a prompt to ask the user, before they click on
their first link?) I'm not a fan of leaking the links sent to someone
in an IM to Google or anyone else.
More information about the Devel