HTML link tag hack sends you to the wrong place

hacking-html-a-tag

We consider ourselves fairly cautions Internet warriors. We know when to watch out for malicious links and tread lightly during those times. But this hack will still bite even the most cautions of link followers. It’s a hack that changes where a link is sending you after you click on it.

The concept is driven home right away by a link in the post which lists PayPal as the target when you hover over it with your mouse. Clicking on it will give you a warning that it could have been a malicious page you were redirected to. Of course the address line of the page shows that you were sent somewhere else, but it’s still an interesting issue. The hack is accomplished with just a few lines of JavaScript. In fact, the original example was 100 characters but a revision boils that down to just 67.

So who’s vulnerable to this kind of thing? It sounds like everyone that’s not using the Opera browser, which has been patched against the exploit. There are also some updates at the bottom of the post which mention that Firefox has been notified about it and Chrome is working on a patch.

[via Reddit]

Comments

  1. Xyroze says:

    Not an issue with Firefox if you have scripts blocked to begin with.

  2. Max says:

    I’m using latest Opera (12.14) on Vista and I fell into the trap. :O

  3. Jeff Epler says:

    google uses (or at least used) this technique to rewrite each search result link when it was clicked, so that they could track which search results were clicked.

    • tobi says:

      They don’t do this any more? I hated it cause I couldn’t just right click a search result and copy the link address. But luckily there are extensions to fix this :)

  4. Royell says:

    Opera for the win. ^_^

  5. datruff says:

    I have been doing web-garbage for 10+ years now and every week or so another “js ninja” idiot reinvents the wheel 1% with a new “hack”. Until this actually executes code or installs something without my knowing, this is just a __complete__ joke.

    Just noticed this links to reddit hahaha I didn’t even need to type out the above…

  6. Andrew says:

    Well for this to work the site you’re visiting has already been hacked so who’s to say the hacker isn’t just going to change the actual links or iframe their own links in. Yes this gives some stealth but 99% of web users don’t look at the urls they’re directed to anyway.

  7. 99%?
    Where did you get that obviously, ridiculously fabricated number?

    If your going to post such remarks, have the intelligence to post some reference links to support what clearly looks to be a fabrication of the truth. Otherwise it’s just FUDD.

  8. silvery says:

    I went to bilaw.al and used middle mouse button to open the link in new tab (Firefox) and … nothing happened – just normal paypal page oppened;
    Then I clicked with left button and saw “script work”;
    After that I tried again to use middle button, but it also gave me script output;

    Now I wonder why…

  9. patrick says:

    Doesn’t work on firefox if you right click and “open link in new tab”

  10. I’m not a web dev, but isn’t this obvious to those that understand DOM?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s