Insert link facilitates phishing attacks

Coyo coyo at darkdna.net
Wed Nov 20 19:59:18 EST 2013


He's got a point. It wouldn't exactly be a breaking change to silently 
change the anchor's target to the link in the description. descriptions 
such as "click here" are legitimate, but if "twitter.com" links to 
something that isn't "twitter.com/intent/follow" or something within the 
same domain, I can't think of any legitimate use cases that would break 
if this were filtered.

On 11/19/2013 03:19 PM, Gasper Zejn wrote:
> I'm not saying there isn't a legitimate use case for having a text lead to a
> remote URL. But how many legitimate use cases are there really for having a
> link description in a form of a URL, especially when the link URL differs from
> description URL?
>
> Tooltips help, but then again some protocols do not even allow for such rich
> content, eg. IRC. So just by switching protocols you are now in a greater
> danger and an old habit of trusting displayed content (WYSIWYG) makes you
> vulnerable without even realizing until you get burned once.
>
>
> Kind regards,
> Gašper Žejn
>
>
> Dne Sreda, 20. novembra 2013 ob 01:50:48 je Ashish Gupta napisal(a):
>> Even though a person can abuse hyperlinks in all applications that support
>> it,  maybe it's not that bad an idea being safe.
>>
>> Say A sends to B a link :
>> http://somethingBadHere
>>
>> Disguised as
>>
>> http://pidgin.im
>>
>> The security check could then follow the WYSIWIG approach and always open
>> the link visible instead of whatever is contained in the URL.
>>
>> If a user is dumb enough to click it,  he or she might as well get infected
>> with malware if it's a bad link. But other than that , if it's a bad link
>> concealed as a good one,  just stick to the good one.
>>
>> And yeah.  Tooltips help.
>>
>> - Ashish
>>
>> On 11/19/2013 4:18 AM Gasper Zejn <zejn at kiberpipa.org> said unto
>> devel at pidgin.im:
>>
>>   Pidgin's feature insert link can be used to launch a phishing attack, see
>>
>>> attached image.
>>>
>>> By inserting a link into description link, you can fool a more
>>> knowledgeable
>>> person thinking he is clicking a link to page A, when in fact the link
>>> will
>>> take him to page B.
>>>
>>> kind regards,
>>> Gašper Žejn
>>>
>>>   Just like every other application in the history or hyperlinks? You can
>> do the same in nearly every email client, word, every website, every other
>> chat client I've ever used...
>>
>> I can understand the concern but it's not really something that can be
>> done, especially since even if this is removed, the person could then use a
>> link shortener to hide the malicious content still...
>>
>> -Michael
>>
>>> _______________________________________________
>>> Devel mailing list
>>> Devel at pidgin.im
>>> http://pidgin.im/cgi-bin/mailman/listinfo/devel
>> _______________________________________________
>> Devel mailing list
>> Devel at pidgin.im
>> http://pidgin.im/cgi-bin/mailman/listinfo/devel
> _______________________________________________
> Devel mailing list
> Devel at pidgin.im
> http://pidgin.im/cgi-bin/mailman/listinfo/devel



More information about the Devel mailing list