Security Vulnerability found
Ethan Blanton
elb at pidgin.im
Sun Mar 20 14:49:02 EDT 2016
b3rito spake unto us the following wisdom:
> I found a security vulnerability which can unmask and infect any user
> even if he is under tor.
>
> This vulnerability consists on editing the href of a url/word and pointing
> it to a any website.
If you mean by sending, e.g.:
<a href="http://exploit.example.org/">http://pidgin.im</a>
... then this is known, reported, and should be worked around with a
tooltip that displays the actual target URL. We understand that this
is not a particularly robust solution, but a more robust solution is
complicated to implement. There have been discussions of warning the
user when the text of a link appears to be a URL that is different
from the link itself, but this is complicated to actually address --
for example, if the link text of the above HTML were "Pidgin website",
it is still misleading and there is no way to verify this.
> It is not that easy to explain how to generate the "bad url" so I would
> like to ask you if it is possible to show it to you.
Why not? Did I just do it above?
Ethan
More information about the security
mailing list