Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Why do browsers allow onmousedown JS to change href?

Tags:

I've noticed for a very long time that when you try to copy a link location or open a link on Facebook, it modifies the link and passes it through l.php.

For example, I can be sent to

 http://www.facebook.com/l.php?u=http%3A%2F%2Fwww.google.com%2F&h=DKVUritNDJDJLDLVbldoDLFKBLOD5dlfDJY_-d3fgDUaA9b

even though my browser render the link preview as http://www.google.com/.

Today, I took a closer look using Firebug and found that Facebook puts onmousedown="UntrustedLink.bootstrap($(this)[...] in the <a> tag. The second I right clicked the link, I saw the href attribute change in Firebug.

This worries me.

The advice many of us have given to less tech-savvy people (check where the link is taking you before you click so that you don't become a victim of phishing) now seems to have become useless. Isn't this a security risk? Can't phishing websites misuse this?

Why don't browsers prevent this behavior either by disallowing onmousedown to change the href or by running the javascript before reading the href attribute, so that I am sent to the location I thought I going to, not the one change while I was clicking it?

Edit: I want to briefly emphasize that what bothers me more than the risk of phishing is that users are being misled and it simply feels wrong to me that this can happen, whether by a trusted source or not.

like image 833
Umang Avatar asked Aug 26 '11 14:08

Umang


People also ask

What does onmousedown do?

The onmousedown attribute fires when a mouse button is pressed down on the element. Tip: The order of events related to the onmousedown event (for the left/middle mouse button): onmousedown.

What is the difference between mousedown and click?

Note: This differs from the click event in that click is fired after a full click action occurs; that is, the mouse button is pressed and released while the pointer remains inside the same element. mousedown is fired the moment the button is initially pressed.


1 Answers

I agree that there is potential here for phishing. This was reported as a bug in FireFox quite a long time ago, but the problem is this:

<body onmousedown="document.getElementById('changeMe').href='www.somewhereelse.com'">
    <a id="changeMe" href="www.google.com">google</a>
</body>

Events bubble up to their parent, you would need to detect if an onmousedown event was going to change the href of a child element. Sounds reasonable? Okay, how about this:

<script>
    function switcher() {
       window.location = "www.somewhereelse.com";
       return false;
    }
</script>
<body onmousedown="switcher()">
    <a href="www.google.com">google</a>
</body>

So we need to look out for window.location in functions triggered by onmousedown events as well. Still sound reasonable? How about if I have the onmousedown event remove the link altogether, replace it with a new element and then trigger the click on that. I can keep coming up with examples.

The point is, Javascript can be used to misdirect people using the status bar - you shouldn't trust it, you can only trust the URL.

To change this browsers would need to give the set href value on a link at the time of the click presidency over any other events that might happen, basically disable mouse events on anchor tags. I would venture to guess they probably won't do this, it would break too many applications that already exist.

Edit: Alternatively, I've seen people propose different methods of detecting and warning the user about possible link hijacking, but I've not seen any implemented yet.

like image 187
nwellcome Avatar answered Jan 30 '23 12:01

nwellcome