Security Vulnerability found

Ethan Blanton elb at
Sun Mar 20 14:49:02 EDT 2016

b3rito spake unto us the following wisdom:
>  I found a security vulnerability which can unmask and infect any user
> even if he is under tor.
> This vulnerability consists on editing the href of a url/word and pointing
> it to a any website.

If you mean by sending, e.g.:

    <a href=""></a>

... then this is known, reported, and should be worked around with a
tooltip that displays the actual target URL.  We understand that this
is not a particularly robust solution, but a more robust solution is
complicated to implement.  There have been discussions of warning the
user when the text of a link appears to be a URL that is different
from the link itself, but this is complicated to actually address --
for example, if the link text of the above HTML were "Pidgin website",
it is still misleading and there is no way to verify this.

> It is not that easy to explain how to generate the "bad url" so I would
> like to ask you if it is possible to show it to you.

Why not?  Did I just do it above?


More information about the security mailing list