Recently I came across a post by the developer Bilawal Hameed that alerted us about a phishing technique in JavaScript that is very hard to detect. It is very important for you to know, hence I am making this post so you could be aware, at least until it is fixed by the browsers.

According to Hameed, the JavaScript allows you to change the <a> href after you click on it. This means that they can change the web address after you click on on a link, redirecting you somewhere else.

No, you can’t just hover your cursor over the link to see the address that usually shows up at bottom of the browser window. It will show you the link you are supposed to go, but you will end up somewhere else.

Try a Phishing Link… Safely

Hameed has implemented a link with the JavaScript hack so you could try it out yourself… at least until the browsers fix the security hole. The hack will redirect you to a safe page that otherwise would have been malicious. If you want to get to it quickly, just go to his post and CTRL+F: This link should take you to PayPal.

Browsers: Address the Issue Immediately

Hameed says that Opera has already addressed this issue and will not allow the redirection happen but I downloaded Opera and it still seems to take me to the phishing page. Also, unfortunately other browses like Chrome, Internet Explorer, or Firefox, have not addressed the problem. However, according to his March 19 update, he has contacted Firefox and his March 20 update that there are rumors that Google Chrome will fix this issue.

Testing the Browsers

Safari, Firefox, Internet Explorer, Opera and Chrome are the 5 most used browsers in the world.

At first I thought the security issue was solved because I couldn’t get to the phished page, but then I found out that it’s because I have the habit of opening the links in new tabs with the scroll of my mouse instead of simply clicking on it.

That’s it.

Using a Windows computer, I tested the browsers for both normal click and the open in new tab click and here are the results:

Browser

Normal Click

New Tab Click

Firefox

Unsafe

Safe

Chrome

Unsafe

Unsafe

Safari

Unsafe

Unsafe

Opera

Unsafe

Unsafe

Internet Explorer

Unsafe

Safe

 

How to be Safe Right Now?

According to my little testing earlier, the best way to protect yourself from this specific hack at this point is to simply use Internet Explorer or Firefox and use my workaround. If you have a better idea, please go ahead and tell us about it in the comments section.

Solution for Browsers

A Reddit user, Abadidea, claims that his job is to find security bugs and has recommended a simple solution for the browsers. Hammed has proposed that solution on his article and has brought it up with Firefox. The solution is to warn users if the location of a link changes to a different domain after they click on it.

Example:

You click on a phished link that is supposed to take you towww.AmadeusConsulting.com/services (not a real phished link, just a fake example!)

With the solution above, the hack will be activated if the hidden URL is in same domain…www.AmadeusConsulting.com/client-successes or any other pages under thewww.AmadeusConsulting.com domain.

However, if the hidden link within www.AmadeusConsulting.com/services wants to take you to www.BlastNetwork.org, then the browser will warn you and you decide if you want to continue or not.

What’s the problem with this solution?

When you browse the Internet, I highly doubt you won’t end up in websites you won’t know… It’s very normal, especially if you are researching to buy a new computer or to write a 1000 page research paper for your class. I mean, what is Internet if you cannot click on links and enter new digital horizons.

So, someone could set up a website with travel information and an identifiable domain (related to travel). The owner pastes links to the site everywhere: Twitter, Facebook, forums, comments, etc. Maybe I see a post about travel in Reddit and he recommends a link so sure… I click on it, the warning doesn’t come up… OK, I’m safe! Not. He could easily redirect you to another page within the same domain that is designed for phishing purposes.

Also, it could be a real hassle and might require code changes on the part of the web page owner. For example, Verizon has www.verizon.net, www22.verizon.com, verizonwireless.com, and I’m sure others. If they performed redirects within their own trusted domains, the user would be prompted.

Open Source Solution

Typical browsers have two engines, one that is graphical and handles how items are displayed. The other is for handling JavaScript. Google Chrome, for instance, uses two open source engines (WebKit for graphics and V8 for JavaScript).

Since they are both open source, anyone has the ability to work on the code base and submit recommendations or changes to be reviewed and implemented, which will take effect in any search engines that use these open source engines.

This security issue is probably related to the security model known as the “same origin policy” that is within the documentation for V8, which ensures that different pages are genuinely under the same website by having matching domain name (www.example.com), protocol (http or https) and port. The groundwork has already been laid out when it comes to specifying an origin. What if a similar logic could be applied for a destination, or when being directed to a new page by a link.

What if Browsers were Women?

While I was researching for this blog post, I came across a piece of art that showed anthropomorphized browsers, or should I say five very pretty Browseristas. I thought it was pretty nice, so I wanted to share Moie Preisenberger’s art as a final note for this blog post.

Fanart of 5 big browsers: Firefox, Chrome, Opera, Internet Explorer and Safari visualized as women by the artist.