HTML Link Tag Hack Sends You To The Wrong Place


We consider ourselves fairly cautions Internet warriors. We know when to watch out for malicious links and tread lightly during those times. But this hack will still bite even the most cautions of link followers. It’s a hack that changes where a link is sending you after you click on it.

The concept is driven home right away by a link in the post which lists PayPal as the target when you hover over it with your mouse. Clicking on it will give you a warning that it could have been a malicious page you were redirected to. Of course the address line of the page shows that you were sent somewhere else, but it’s still an interesting issue. The hack is accomplished with just a few lines of JavaScript. In fact, the original example was 100 characters but a revision boils that down to just 67.

So who’s vulnerable to this kind of thing? It sounds like everyone that’s not using the Opera browser, which has been patched against the exploit. There are also some updates at the bottom of the post which mention that Firefox has been notified about it and Chrome is working on a patch.

[via Reddit]

16 thoughts on “HTML Link Tag Hack Sends You To The Wrong Place

    1. Yup. One of the many reasons you should be running NoScript, and only making exceptions for sites you trust. (Even then, that’s assuming that they haven’t been hacked…)

  1. I have been doing web-garbage for 10+ years now and every week or so another “js ninja” idiot reinvents the wheel 1% with a new “hack”. Until this actually executes code or installs something without my knowing, this is just a __complete__ joke.

    Just noticed this links to reddit hahaha I didn’t even need to type out the above…

  2. Well for this to work the site you’re visiting has already been hacked so who’s to say the hacker isn’t just going to change the actual links or iframe their own links in. Yes this gives some stealth but 99% of web users don’t look at the urls they’re directed to anyway.

  3. I went to and used middle mouse button to open the link in new tab (Firefox) and … nothing happened – just normal paypal page oppened;
    Then I clicked with left button and saw “script work”;
    After that I tried again to use middle button, but it also gave me script output;

    Now I wonder why…

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.