commissum issues advice on link-camouflaging Javascript exploit

LEITH, Scotland - April 4, 2013 - PRLog -- Recently, a disturbing new exploit was discovered by Bilawal Hameed, a nineteen-year-old developer and entrepreneur (see http://bilaw.al/2013/03/17/hacking-the-a-tag-in-100-characters.html ). He found that a relatively straightforward use of the scripting language Javascript was able to defeat the well-known status bar safety check for hyperlinks. This is the procedure whereby a user, before clicking on a link, can hover the cursor over it to view the URL pointed to by that link, which will appear in the status area at the bottom of the page. In this way the user can check whether the link is safe to click on.

However, the exploit discovered by Hameed is able to camouflage the URL pointed to by the link, so that while a “safe” link is shown in the status bar when the user hovers over the link, once the user actually clicks on the link the browser is sent to a completely different page. This page may be used by a hacker to steal sensitive data, such as the user’s banking login credentials, while the user remains unaware of the deception. The exploit requires only a few lines of simple Javascript code.

Hameed has publicly disclosed this vulnerability, which the Open Source Vulnerability Database has catalogued as the ”Mozilla Firefox (or Google Chrome) 'a' Tag JavaScript After Click Reference Manipulation Weakness”. To date, a fix has been produced for the Opera browser, but other browsers remain vulnerable to the exploit for the time being. Hameed has suggested that browsers should be enabled to warn the user if a link would take them to a different Internet domain on clicking compared to the domain indicated on hovering.

Briony Williams, a security consultant at information security firm commissum, explains: “This newly-discovered weakness highlights how important it is for users to remain alert when browsing the web, especially when about to enter sensitive data. It’s no longer enough to check the status of a link before clicking it. In fact, the safest procedure is not to click on any link that takes you to a sensitive website, such as a banking or credit card site, but simply to enter the URL manually in the address bar. That may require more work from the user, but it’s one area that hackers cannot manipulate.”

commissum (see http://www.commissum.com ) is a specialist information security company based in Edinburgh, Scotland, with experience in penetration testing of infrastructure and web applications.  Martin Finch, the director of commissum, added: “This exploit is a worrying development. Until all browsers are updated to disable this exploit, users may be vulnerable to ‘phishing’ attacks that seek to harvest their sensitive information for financial gain. This camouflaging of the status bar check for hyperlinks has the effect of escalating the ongoing cyberspace arms race, whereby hackers respond to each new advance in security by developing a way to circumvent it. Even after upgrading to the latest version of their browser, users should never relax their guard when browsing the web.”