Category Archives: Uncategorized

Lying links

Recently, a post about Hacking the <a> tag in 100 characters made its rounds on the internet.
A short summary of this post is that it’s possible to change the link target (the href attribute) just after it’s clicked, but before the target is loaded. This means that hovering over a link and seeing a target such as http://paypal.com you might actually be redirected to some phishing page.

Here’s an easy js-fiddle demonstrating the issue which actually presents a popup before you are redirected (see the Result tab for the demo):

So you might think this is bad and maybe you’re right. Bilaw suggests that browsers should notify their users in case the link target was changed in between click and following the link in his post.

While this might seems legit, it’s actually not that simple: There’s at least two alternatives to achieve the same linkception (not the SEO term) without changing the link target:

  1. You can just “redirect” the click to another link. That other link can even be hidden.
  2. You can stop the click event and just load another page.

Both are shown in the js-fiddle below:

So fixing this kind of phishing attack isn’t all that simple. You could argue that you shouldn’t be able to bind anything to click events on a-tags, but then there are some good use-cases for this (like you want to make the user confirm following a link).

As it’s quite simple to obfuscate the few examples i’ve shown with callbacks, timers, etc., i’m quite sure that fixing them wouldn’t be the end of the arms race. Maybe the only thing we can actually do is raise awareness.

PS: Depending on your browser the click event is triggered on different actions: Firefox only triggers it on left mouse-button click, Chrome also on middle mouse-button click. Both trigger the click event on CTRL/CMD+left mouse-button (opening the link in a new tab), both don’t trigger the event on right click + open in new tab.

My name

Thanks to Paul for telling me about my name day: “Jörn (Der eberstarke, mutige, gute Freund)” (Jörn, the boar-strong, brave, good friend). Actually it’s fun to read the Plattdüütsch version which says as much as that it comes from Jürgen, and that one comes from Georg, but as people speaking that dialect were “mundfuul” (talk-lazy) they shortened it to Jörn 😀 (and i can really read it)

The English Wikipedia told me that I’m actually a village (yay, we all love RDF, don’t we? At least the de.dbpedia.org knows more.)

Oh and there’s a trainstation with my name on it.

Lovely.

Interesting talk about “Filter Bubbles”

A few days ago I stumbled over an interesting TED talk by Eli Pariser about the ever increasing personalization of the web, its search results, your facebook news feed, … Do you think that you still see the whole picture or are you already caught in your own filtered information bubble? (thx to Kingsley Idehen)

Live mapping of tweets, facebook msgs, emails, sms…

Reading the Wikimedia blog I stumbled over this interesting post. They mention a framework called Ushahidi (Swahili word for “testimony’) with its subproject SwitfRiver which can be used to track and verify the reliability of news concerning current trending topics, possibly helping editors of Wikipedia to enhance the quality.

Digging into I found out the framework is used for live mapping (collection, aggregation and visualization) of disaster and event related messages sent via all different kinds of transports (e.g., twitter, facebook, email, sms…). One example is the 2010 Haiti earthquake. Where it helped to coordinate all the s&r teams.

As I find it quite fascinating how much people who sit at home in their living rooms might be able to help others in a disaster region, I’d like to suggest this talk: