User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/20041103 Firefox/1.0RC2 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/20041103 Firefox/1.0RC2 The following simple method will spoof the target URL address displayed to the user on the status bar when the link is hovered. <A HREF="https://www.paypal.com" ONCLICK="window.location = 'http://www.imdb.com/title/tt0113243/'; return false">PayPal</A> Reproducible: Always Steps to Reproduce: 1. Visit the test case URL 2. Hover over the "PayPal" link. 3. Verify that the PayPal URL is displayed in the status bar 2. Left-click on the link 3. You are not in PayPal! Actual Results: The user is taken to a URL which differs from the one that was displayed in the status bar. Expected Results: Not sure... Some kind of warning on the status bar?

Ideally it would be great if the status bar indicated the actual page that would be opened once the link is clicked. OT: I thought I shouldn't be able to see security bugs without some permission set (which I don't have).

This is a duplicate of either bug 229055 or the closely-related bug 229050 I'll take the second of those, as it seems to be the closest match... *** This bug has been marked as a duplicate of 229050 ***