Jump to content
Nytro

Hacking the <a> tag in 100 characters

By Nytro, in Tutoriale in engleza

Recommended Posts

Nytro Mentor

Nytro

Posted
Posted

[h=1]Hacking the <a> tag in 100 characters[/h] ? 17 March 2013 / 439 words / Facebook / Twitter / Discuss on HN

A short while ago, I discovered that JavaScript allows you to change the <a> href after you click on it. It may not seem that serious at first glance, but rest assured, it can trick customers into giving in their details to fraudsters.

Let me show you an example. This link should take you to PayPal.

You'll see that you do not end up on PayPal (except on Opera, where it appears to have been fixed). That's because when you clicked on the link, I ran some code that changed the href attribute and, surprisingly, the browser sent me to the new link. That shouldn't happen. Website visitors (and perhaps most tech-savvy people) can and will presume where they end up could just be a genuine redirection from, in this case, PayPal. Last year, PayPal redirected their UK homepage to paypal-business.co.uk for months. My assumption is website visitors have grown accustom to redirections, and if this flaw acts as such, it can pose a real threat to what I call Phishing 2.0.

Let's take a look at the JavaScript:

// Uncompressed
var links = document.getElementsByTagName('a');
for(var i=0; i < links.length; i++){
    links[i].onclick = function(){
        this.href = 'http://bit.ly/141nisR'; // Insert link here
    };
}

// Compressed (100 characters exc. the link)
o=document.getElementsByTagName('a');for(j=0;j<o.length;j++){o[j].onclick=function(){this.href='http://bit.ly/141nisR';}}

It's also very difficult to detect. Almost everyone who uses JavaScript/jQuery will bind an event to an <a> tag, so it's not as simple as unbinding every <a> onclick function. It's very much possible to wrap the code above to a setTimeout to bypass whatever solution can be found. Any half-decent hacker can make a computer virus or embeddable JavaScript code that can inject this code alongside another piece of software. As it's incredibly easy to update JavaScript (particularly embeddable), I would say that tools such as McAfeeSecure and PhishTank won't be able to keep up with phishing websites up to the second.

As it shows no real benefit, I'm pledging to World Wide Web Consortium (W3C) and major browsers to disable the option to change the href attribute after an onclick event.

It is an incredibly simple interpreter flaw, and whilst it may seem normal to some, it can be used for ill-fated purposes rather than good. I'm aware Google and websites as such use this, but if we're suppose to making the web safer, we can't allow for what can be simple flaws to exist. There are alternatives (such as using the genuine link rather than masking it), and for that reason, it should be disabled. It's not worth internet users being victims of fraud and theft.

Sursa: Hacking the <a> tag in 100 characters

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...