Insert link facilitates phishing attacks

Coyo coyo at
Wed Nov 20 19:59:18 EST 2013

He's got a point. It wouldn't exactly be a breaking change to silently 
change the anchor's target to the link in the description. descriptions 
such as "click here" are legitimate, but if "" links to 
something that isn't "" or something within the 
same domain, I can't think of any legitimate use cases that would break 
if this were filtered.

On 11/19/2013 03:19 PM, Gasper Zejn wrote:
> I'm not saying there isn't a legitimate use case for having a text lead to a
> remote URL. But how many legitimate use cases are there really for having a
> link description in a form of a URL, especially when the link URL differs from
> description URL?
> Tooltips help, but then again some protocols do not even allow for such rich
> content, eg. IRC. So just by switching protocols you are now in a greater
> danger and an old habit of trusting displayed content (WYSIWYG) makes you
> vulnerable without even realizing until you get burned once.
> Kind regards,
> Gašper Žejn
> Dne Sreda, 20. novembra 2013 ob 01:50:48 je Ashish Gupta napisal(a):
>> Even though a person can abuse hyperlinks in all applications that support
>> it,  maybe it's not that bad an idea being safe.
>> Say A sends to B a link :
>> http://somethingBadHere
>> Disguised as
>> The security check could then follow the WYSIWIG approach and always open
>> the link visible instead of whatever is contained in the URL.
>> If a user is dumb enough to click it,  he or she might as well get infected
>> with malware if it's a bad link. But other than that , if it's a bad link
>> concealed as a good one,  just stick to the good one.
>> And yeah.  Tooltips help.
>> - Ashish
>> On 11/19/2013 4:18 AM Gasper Zejn <zejn at> said unto
>> devel at
>>   Pidgin's feature insert link can be used to launch a phishing attack, see
>>> attached image.
>>> By inserting a link into description link, you can fool a more
>>> knowledgeable
>>> person thinking he is clicking a link to page A, when in fact the link
>>> will
>>> take him to page B.
>>> kind regards,
>>> Gašper Žejn
>>>   Just like every other application in the history or hyperlinks? You can
>> do the same in nearly every email client, word, every website, every other
>> chat client I've ever used...
>> I can understand the concern but it's not really something that can be
>> done, especially since even if this is removed, the person could then use a
>> link shortener to hide the malicious content still...
>> -Michael
>>> _______________________________________________
>>> Devel mailing list
>>> Devel at
>> _______________________________________________
>> Devel mailing list
>> Devel at
> _______________________________________________
> Devel mailing list
> Devel at

More information about the Devel mailing list