Skip to content Skip to sidebar Skip to footer
Home / Href / Javascript / Phishing / Security

Why Do Browsers Allow Onmousedown Js To Change Href?

Post a Comment
I've noticed for a very long time that when you try to copy a link location or open a link on Facebook, it modifies the link and passes it through l.php. For example, I can be sen

Solution 1:

I agree that there is potential here for phishing. This was reported as a bug in FireFox quite a long time ago, but the problem is this:

<bodyonmousedown="document.getElementById('changeMe').href='www.somewhereelse.com'"><aid="changeMe"href="www.google.com">google</a></body>

Events bubble up to their parent, you would need to detect if an onmousedown event was going to change the href of a child element. Sounds reasonable? Okay, how about this:

<script>functionswitcher() {
       window.location = "www.somewhereelse.com";
       returnfalse;
    }
</script><bodyonmousedown="switcher()"><ahref="www.google.com">google</a></body>

So we need to look out for window.location in functions triggered by onmousedown events as well. Still sound reasonable? How about if I have the onmousedown event remove the link altogether, replace it with a new element and then trigger the click on that. I can keep coming up with examples.

The point is, Javascript can be used to misdirect people using the status bar - you shouldn't trust it, you can only trust the URL.

To change this browsers would need to give the set href value on a link at the time of the click presidency over any other events that might happen, basically disable mouse events on anchor tags. I would venture to guess they probably won't do this, it would break too many applications that already exist.

Edit: Alternatively, I've seen people propose different methods of detecting and warning the user about possible link hijacking, but I've not seen any implemented yet.

Solution 2:

The advice many of us have given to less tech-savvy people (check where the link is taking you before you click so that you don't become a victim of phishing) now seems to have become useless.

If by "check" you mean the link 'preview' browsers show at the bottom status bar then you are correct. That is not enough to check whether a link really goes where it claims to be going. For instance, running the jquery script below on a page will cause all link to go to google.com regardless of what the actual href target of the link is:

$('a').click(function(evt){evt.preventDefault();window.location.href="http://google.com"})

Solution 3:

Can't phishing websites misuse this?

Not really, because facebook is where the said javascript would have to be called from. The user has to go an untrusted source in the first place who would embed the javascript in the tag.

Post a Comment for "Why Do Browsers Allow Onmousedown Js To Change Href?"