Insert link facilitates phishing attacks

Gasper Zejn zejn at kiberpipa.org
Tue Nov 19 16:19:15 EST 2013


I'm not saying there isn't a legitimate use case for having a text lead to a 
remote URL. But how many legitimate use cases are there really for having a 
link description in a form of a URL, especially when the link URL differs from 
description URL?

Tooltips help, but then again some protocols do not even allow for such rich 
content, eg. IRC. So just by switching protocols you are now in a greater 
danger and an old habit of trusting displayed content (WYSIWYG) makes you 
vulnerable without even realizing until you get burned once.


Kind regards,
Gašper Žejn


Dne Sreda, 20. novembra 2013 ob 01:50:48 je Ashish Gupta napisal(a):
> Even though a person can abuse hyperlinks in all applications that support
> it,  maybe it's not that bad an idea being safe.
> 
> Say A sends to B a link :
> http://somethingBadHere
> 
> Disguised as
> 
> http://pidgin.im
> 
> The security check could then follow the WYSIWIG approach and always open
> the link visible instead of whatever is contained in the URL.
> 
> If a user is dumb enough to click it,  he or she might as well get infected
> with malware if it's a bad link. But other than that , if it's a bad link
> concealed as a good one,  just stick to the good one.
> 
> And yeah.  Tooltips help.
> 
> - Ashish
> 
> On 11/19/2013 4:18 AM Gasper Zejn <zejn at kiberpipa.org> said unto
> devel at pidgin.im:
> 
>  Pidgin's feature insert link can be used to launch a phishing attack, see
> 
> > attached image.
> > 
> > By inserting a link into description link, you can fool a more
> > knowledgeable
> > person thinking he is clicking a link to page A, when in fact the link
> > will
> > take him to page B.
> > 
> > kind regards,
> > Gašper Žejn
> > 
> >  Just like every other application in the history or hyperlinks? You can
> 
> do the same in nearly every email client, word, every website, every other
> chat client I've ever used...
> 
> I can understand the concern but it's not really something that can be
> done, especially since even if this is removed, the person could then use a
> link shortener to hide the malicious content still...
> 
> -Michael
> 
> > _______________________________________________
> > Devel mailing list
> > Devel at pidgin.im
> > http://pidgin.im/cgi-bin/mailman/listinfo/devel
> 
> _______________________________________________
> Devel mailing list
> Devel at pidgin.im
> http://pidgin.im/cgi-bin/mailman/listinfo/devel



More information about the Devel mailing list