User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko/20040614 Firefox/0.9 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko/20040614 Firefox/0.9 Hi, this is my first bug report ... I manipulated a link with javascript, when you hover in, the status bar will display http://www.mozilla.org, but when you click, the browser will open http://www.google.com (even when disallowing "change status bar text"), tested on mozilla/firefox, internet explorer an opera. The script edit the value of href on Click, I think that is a bug, because this could be used for phishing: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> <title>bug?</title> <script language="JavaScript"> function test(obj) { obj.href = "http://www.google.com"; } </script> </head> <body> <a href="http://www.mozilla.org/" onClick="javascript:test(this)" title="http://www.mozilla.org/" alt="http://www.mozilla.org/" target="_self">mozilla.org</a> </body> </html> sorry for my bad english ;) Reproducible: Always Steps to Reproduce:

This is well known, I don't think there's anything that can be done (short of turning off javascript) to prevent all kinds of tricks. This effect can be accomplished more simply using onClick="location='http://www.google.com'". That won't do quite the same thing if people attempt to open the link in a new tab using ctrl-click and the like, but good enough to catch the sort of people who might fall for a phishing attempt in the first place. wontfix?

*** Bug 285667 has been marked as a duplicate of this bug. ***

This is an automated message, with ID "auto-resolve01". This bug has had no comments for a long time. Statistically, we have found that bug reports that have not been confirmed by a second user after three months are highly unlikely to be the source of a fix to the code. While your input is very important to us, our resources are limited and so we are asking for your help in focussing our efforts. If you can still reproduce this problem in the latest version of the product (see below for how to obtain a copy) or, for feature requests, if it's not present in the latest version and you still believe we should implement it, please visit the URL of this bug (given at the top of this mail) and add a comment to that effect, giving more reproduction information if you have it. If it is not a problem any longer, you need take no action. If this bug is not changed in any way in the next two weeks, it will be automatically resolved. Thank you for your help in this matter. The latest beta releases can be obtained from: Firefox: http://www.mozilla.org/projects/firefox/ Thunderbird: http://www.mozilla.org/products/thunderbird/releases/1.5beta1.html Seamonkey: http://www.mozilla.org/projects/seamonkey/

Hump! I see this bug is about to get dropped and I don't know whether it is being worked on, so will add my two cents worth... Just because there has been no activity on it does not mean it is an invalid bug report. Please analyize it first and THINK about it! This is a serious security flaw and needs to be addressed. As for Daniel Veditz's conclusion that nothing can be done about this, speaking now as a software engineer myself (over 30 years of experience) boy do I have to strongly disagree with you! I also reported another simpler version of this problem which certainly can be handled very easily, see bug 285667. It requires a simple fix and doing a straight forward check/fix on it would catch a lot of philsing attempts. There are two possible scenerios that a user may face when he/she is about to click on a link. This first scenerio is when the user is presented, up front, with information about what the purported target URL will be, that when he/she clicks on the link, the brower will transition to and display. This commonly occurs when html code such as <a href="http://www.somebogusdomain.com/index.html"> http://www.somedomain.com</a> is used, or as was shown in the example for this bug report. The second scenerio occurs when the user is NOT presented up front with information about what the target URL will be, or the browser/email client app does not have enough info to make an automagic verification, as in <a href="http://www.somebogusdomain.com/index.htm">Click here to go to our website.</a> or even worse <p><a href="http://www.somebogusdomain.com/index.htm">Click here </a> to go to http://www.somedomain.com.</p> While, yes the target link will show up in the status bar of the browser, before the transition occurs, it is still questionable, especially when this type of link occurs in an email, and I will address it also. . Philshing detection for the first scenerio described above is simple to do as this is a simple verifiable state change transition in all its variations. Here the user was presented, in a secondary fashion, what the purported target URL will be within a structured context and in a valid URL format. In other words, the client app - Firefox, Mozilla, or Thunderbird - simply has to check if the user was presented with a valid URL (requires some clever parsing but not all that difficult to do), record what the purported target URL will be, for state transition the user believes will happen when he clicks on a link. In other words, the URL the user believes the browser will be transitioning to, based on the information that was presented to him in the link. The client app then compares that against the actual URL reached, brought on by the state transition that occurred (i.e. the URL actually reached). Upon comparison of the two, before the client app actually has the new page displayed, it presents the user with a warning dialog, if the two are different, and presents him/her with choices of A) accept the transition, B) Reject the transition, C) Mark the transition as OK for all future occurances of it, D) Mark the transition as Unaccepted for all future occurances.. Since it is possible for server side redirections to occur, I would limit the comparisons of the URL's, before and after the transition, to just the base portion and verify that the domains at least remain consistant. That will still cause some false dialog boxes to be presented to the user, if an when a server redirects a page to a new domain, but I should think that won't happen all that often, and the client app can be trained to accept these. This cost to the user is far better than having him be lead to a philsher unknowningly. As for the second scenerio I describe, where the user was not presented up front with the target URL, within a structured context, may I propose handling this in a more passive way. (I am sure there are other possible answers and this could be the subject of some good brainstorming) Present the user with an icon in the toolbar of the browser indicating that the page was transitioned to from a questionable link. In other words, this icon is presented when the browser was unable to automagically confirm that the transition was truely a valid and/or expected one. If the user clicks on this icon, then present him/her with the aforemention dialog box to allow him/her to train the browser to accept or reject all future attempts to reach that particular webpage. At least the browser is now attempting to bring it to the users attention that the target URL reached, should be verified, but because it is passive the user is not required to do so. The dialog box should also make some simple suggestions as to how to verify a URL, such as looking closely at the domain name and see if it makes reasonable sense. Personally, I feel this problem is far more serious when it occurs in emails with html, than on webpages directly, and the Thunderbird team should be paying very close attention to this. In this case, the checking/verification has to occur between the link the user is clicking on in an email, and the URL that is being used when the web browser is about to be launched. If the checking/verification cannot be done, as described in scenerio two, then one possible solution is the interface between Thunderbird and Firefox may have to be extended a bit so that Thunderbird can inform Firefox that the link is questionable. Another might be to have the user confirm, via a dialog box, that he/she truely wants to bring up the browser on a website that came from a questionable link. If you have ever programmed relational databases, this kind of transition checking is done all the time.. No rocket computer science here! I won't argue that this will cover all philshing attempts, but it will eleminate or help eleminate some of the most obvious ones and it will not require any difficult programming. Especially if the teams have been and are using good object oriented programming techniques and code reuse. ;-)