We consider ourselves fairly cautions Internet warriors. We know when to watch out for malicious links and tread lightly during those times. But this hack will still bite even the most cautions of link followers. It’s a hack that changes where a link is sending you after you click on it.
The concept is driven home right away by a link in the post which lists PayPal as the target when you hover over it with your mouse. Clicking on it will give you a warning that it could have been a malicious page you were redirected to. Of course the address line of the page shows that you were sent somewhere else, but it’s still an interesting issue. The hack is accomplished with just a few lines of JavaScript. In fact, the original example was 100 characters but a revision boils that down to just 67.
So who’s vulnerable to this kind of thing? It sounds like everyone that’s not using the Opera browser, which has been patched against the exploit. There are also some updates at the bottom of the post which mention that Firefox has been notified about it and Chrome is working on a patch.
[via Reddit]
Not an issue with Firefox if you have scripts blocked to begin with.
Then again, the web sucks with scripts blocked.
Yup. One of the many reasons you should be running NoScript, and only making exceptions for sites you trust. (Even then, that’s assuming that they haven’t been hacked…)
I’m using latest Opera (12.14) on Vista and I fell into the trap. :O
google uses (or at least used) this technique to rewrite each search result link when it was clicked, so that they could track which search results were clicked.
They don’t do this any more? I hated it cause I couldn’t just right click a search result and copy the link address. But luckily there are extensions to fix this :)
Opera for the win. ^_^
I have been doing web-garbage for 10+ years now and every week or so another “js ninja” idiot reinvents the wheel 1% with a new “hack”. Until this actually executes code or installs something without my knowing, this is just a __complete__ joke.
Just noticed this links to reddit hahaha I didn’t even need to type out the above…
Well for this to work the site you’re visiting has already been hacked so who’s to say the hacker isn’t just going to change the actual links or iframe their own links in. Yes this gives some stealth but 99% of web users don’t look at the urls they’re directed to anyway.
99%?
Where did you get that obviously, ridiculously fabricated number?
If your going to post such remarks, have the intelligence to post some reference links to support what clearly looks to be a fabrication of the truth. Otherwise it’s just FUDD.
Don’t you know that 76.3% of statistics are made up? B^)
I went to bilaw.al and used middle mouse button to open the link in new tab (Firefox) and … nothing happened – just normal paypal page oppened;
Then I clicked with left button and saw “script work”;
After that I tried again to use middle button, but it also gave me script output;
Now I wonder why…
Reproduced…after refreshing the page middle-mouse worked again as expected.
Doesn’t work on firefox if you right click and “open link in new tab”
I’m not a web dev, but isn’t this obvious to those that understand DOM?
In a word, yes… Yes it is.