Hacking a 100 character tag
Not so long ago, I discovered that JavaScript allows you to change the href attribute of the <a> tag after you click on it. At first glance, it looks frivolous, but do not hesitate - in this way an attacker can get user data.
Let me show you: ( Note: you can see an example in the original article . The link initially leads to PayPal, but after clicking, it redirects to another page of the author’s blog. )
As you have seen, you did not switch to PayPal (except for Opera, where, apparently, this behavior is corrected). This happened because after clicking on the link, the code that changed the href attribute of the link was launched, and surprisingly, the browser sends a new address. But this should not happen. Visitors to the site (perhaps the most technically savvy of them) using the link will suggest where they are going, in this case, to the PayPal site. Last year, PayPal redirected from its homepage (UK) to paypal-business.co.uk for several months. In my opinion, users have become accustomed to such redirections, which in itself is a vulnerability and represents a real threat, as I call it “Phishing 2.0”.
Take a look at the code:
This event is very difficult to detect. Almost everyone who uses JavaScript / jQuery uses the <a> tag's event handlers, rather than hanging the onclick attribute directly on the link, which is much more difficult to find. In addition, you can use the setTimeout wrapper to bypass any ways to detect a handler. Any more or less capable hacker can make a computer virus or use embedded JavaScript code for injection. It is very easy to update JavaScript code (by injection, in particular), and I would say that tools such as McAfeeSecure and PhishTank are not able to withstand “Phishing 2.0”
')
Since There is no real benefit in changing the attribute of the link for the onclick event, I suggest the World Wide Web Consortium (W3C) and the main browsers disable this feature. This is an incredibly simple flaw, and this behavior may seem normal to someone, but it can most likely be used to harm, not benefit. I understand that Google and other sites can use this behavior, but if we want to make the Internet secure, we should not allow such a small vulnerability to exist.
UPD (19/3) - An idea appeared - to warn users that when clicking on a link, they will switch to another domain ( +1 to abididea ). Sites such as Google and Facebook will continue to function normally, because use one domain, and this eliminates the possibility of phishing. In this case, everyone will win (except for phishers, of course!). I need your help for the main browsers to accept this idea as quickly as possible. Let's take away from intruders one easy way to deceive ordinary users.
UPD (19/3) - Suggested fixes Firefox, waiting for a response.
UPD (20/3) - Rumor has it that Google Chrome will release a patch, but have not heard confirmation of this.
( This is my first translation, please do not judge strictly,% username%, I will gladly accept all comments in a personal and try to correct. )
UPD: I want to pay attention - my opinion does not always coincide with the author of the original article, especially in the idea of ​​a redirect notification. And I support the point of view already expressed in the comments that it is necessary to check the address bar before entering data.
Let me show you: ( Note: you can see an example in the original article . The link initially leads to PayPal, but after clicking, it redirects to another page of the author’s blog. )
As you have seen, you did not switch to PayPal (except for Opera, where, apparently, this behavior is corrected). This happened because after clicking on the link, the code that changed the href attribute of the link was launched, and surprisingly, the browser sends a new address. But this should not happen. Visitors to the site (perhaps the most technically savvy of them) using the link will suggest where they are going, in this case, to the PayPal site. Last year, PayPal redirected from its homepage (UK) to paypal-business.co.uk for several months. In my opinion, users have become accustomed to such redirections, which in itself is a vulnerability and represents a real threat, as I call it “Phishing 2.0”.
Take a look at the code:
// var links = document.links; for(i in links) { links[i].onclick = function(){ this.href = 'http://bit.ly/141nisR'; }; } // ( 100 ; 67, ) // sgoel HN o=document.links;for(i in o){o[i].onclick=function(){this.href='//bit.ly/141nisR'}} This event is very difficult to detect. Almost everyone who uses JavaScript / jQuery uses the <a> tag's event handlers, rather than hanging the onclick attribute directly on the link, which is much more difficult to find. In addition, you can use the setTimeout wrapper to bypass any ways to detect a handler. Any more or less capable hacker can make a computer virus or use embedded JavaScript code for injection. It is very easy to update JavaScript code (by injection, in particular), and I would say that tools such as McAfeeSecure and PhishTank are not able to withstand “Phishing 2.0”
')
UPD (19/3) - An idea appeared - to warn users that when clicking on a link, they will switch to another domain ( +1 to abididea ). Sites such as Google and Facebook will continue to function normally, because use one domain, and this eliminates the possibility of phishing. In this case, everyone will win (except for phishers, of course!). I need your help for the main browsers to accept this idea as quickly as possible. Let's take away from intruders one easy way to deceive ordinary users.
UPD (19/3) - Suggested fixes Firefox, waiting for a response.
UPD (20/3) - Rumor has it that Google Chrome will release a patch, but have not heard confirmation of this.
( This is my first translation, please do not judge strictly,% username%, I will gladly accept all comments in a personal and try to correct. )
UPD: I want to pay attention - my opinion does not always coincide with the author of the original article, especially in the idea of ​​a redirect notification. And I support the point of view already expressed in the comments that it is necessary to check the address bar before entering data.
Source: https://habr.com/ru/post/173691/
All Articles