{"id":504,"date":"2013-03-25T11:06:51","date_gmt":"2013-03-25T10:06:51","guid":{"rendered":"http:\/\/joernhees.de\/blog\/?p=504"},"modified":"2016-09-28T23:17:29","modified_gmt":"2016-09-28T21:17:29","slug":"lying-links","status":"publish","type":"post","link":"https:\/\/joernhees.de\/blog\/2013\/03\/25\/lying-links\/","title":{"rendered":"Lying links"},"content":{"rendered":"<p>Recently, a post about <a href=\"http:\/\/bilaw.al\/2013\/03\/17\/hacking-the-a-tag-in-100-characters.html\">Hacking the &lt;a&gt; tag in 100 characters<\/a> made its rounds on the internet.<br \/>\nA short summary of this post is that it&#8217;s possible to change the link target (the <code>href<\/code> attribute) just after it&#8217;s clicked, but before the target is loaded. This means that hovering over a link and seeing a target such as http:\/\/paypal.com you might actually be redirected to some phishing page.<\/p>\n<p>Here&#8217;s an easy js-fiddle demonstrating the issue which actually presents a popup before you are redirected (see the Result tab for the demo):<\/p>\n<p><iframe width=\"100%\" height=\"300\" src=\"http:\/\/jsfiddle.net\/joern\/weF3r\/embedded\/\" allowfullscreen=\"allowfullscreen\" frameborder=\"0\"><\/iframe><\/p>\n<p>So you might think this is bad and maybe you&#8217;re right. Bilaw suggests that browsers should notify their users in case the link target was changed in between click and following the link in <a href=\"http:\/\/bilaw.al\/2013\/03\/17\/hacking-the-a-tag-in-100-characters.html\">his post<\/a>.<\/p>\n<p>While this might seems legit, it&#8217;s actually not that simple: There&#8217;s at least two alternatives to achieve the same linkception (not the SEO term) without changing the link target:<\/p>\n<ol>\n<li>You can just &#8220;redirect&#8221; the click to another link. That other link can even be hidden.<\/li>\n<li>You can stop the click event and just load another page.<\/li>\n<\/ol>\n<p>Both are shown in the js-fiddle below:<\/p>\n<p><iframe width=\"100%\" height=\"300\" src=\"http:\/\/jsfiddle.net\/joern\/SJ2ht\/embedded\/\" allowfullscreen=\"allowfullscreen\" frameborder=\"0\"><\/iframe><\/p>\n<p>So fixing this kind of phishing attack isn&#8217;t all that simple. You could argue that you shouldn&#8217;t be able to bind anything to click events on <code>a<\/code>-tags, but then there are some good use-cases for this (like you want to make the user confirm following a link).<\/p>\n<p>As it&#8217;s quite simple to obfuscate the few examples i&#8217;ve shown with callbacks, timers, etc., i&#8217;m quite sure that fixing them wouldn&#8217;t be the end of the arms race. Maybe the only thing we can actually do is raise awareness.<\/p>\n<p>PS: Depending on your browser the click event is triggered on different actions: Firefox only triggers it on left mouse-button click, Chrome also on middle mouse-button click. Both trigger the click event on CTRL\/CMD+left mouse-button (opening the link in a new tab), both don&#8217;t trigger the event on right click + open in new tab.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Recently, a post about Hacking the &lt;a&gt; tag in 100 characters made its rounds on the internet. A short summary of this post is that it&#8217;s possible to change the link target (the href attribute) just after it&#8217;s clicked, but before the target is loaded. This means that hovering over a link and seeing a [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"spay_email":""},"categories":[1],"tags":[5,21,22,70,80,85,86,87,120,121],"jetpack_featured_media_url":"","jetpack_shortlink":"https:\/\/wp.me\/pYA5n-88","jetpack-related-posts":[{"id":104,"url":"https:\/\/joernhees.de\/blog\/2010\/07\/22\/precision-recall-diagrams-including-fmeasure\/","url_meta":{"origin":504,"position":0},"title":"Precision-Recall diagrams including F-Measure height lines","date":"2010-07-22","format":false,"excerpt":"Today I was asked how to generate Recall-Precision diagrams including the f-measure values as height-lines from within python. Actually Gunnar was the one who had this idea quite a while ago, but constantly writing things into files, then loading them with his R code to visualize them, made me create\u2026","rel":"","context":"In &quot;Coding&quot;","img":{"alt_text":"","src":"https:\/\/i2.wp.com\/joernhees.de\/blog\/wp-content\/uploads\/2010\/07\/RecallPrecisionDiagram-300x223.png?resize=350%2C200&ssl=1","width":350,"height":200},"classes":[]},{"id":421,"url":"https:\/\/joernhees.de\/blog\/2012\/04\/24\/git-ad-hoc-sharing\/","url_meta":{"origin":504,"position":1},"title":"Git ad-hoc sharing","date":"2012-04-24","format":false,"excerpt":"I recently found quite a cool way for easy sharing sharing of git code between two machines in a LAN or WLAN (as easy as in mercurial). The following command creates a git alias called \"serve\" (you only need to run this once so you don't have to manually call\u2026","rel":"","context":"In &quot;Coding&quot;","img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":324,"url":"https:\/\/joernhees.de\/blog\/2011\/01\/12\/introducing-betterrelations\/","url_meta":{"origin":504,"position":2},"title":"Introducing: BetterRelations - a Game with a Purpose","date":"2011-01-12","format":false,"excerpt":"As many of you know I'm developing a game called BetterRelations for my MasterThesis. It is now available: BetterRelations (alpha) The game collects pairwise user preferences, which are then used to rate Linked Data triples by \"Importance\". Would be cool if you find time to play the game maybe in\u2026","rel":"","context":"In &quot;LODgames&quot;","img":{"alt_text":"","src":"https:\/\/i1.wp.com\/joernhees.de\/blog\/wp-content\/uploads\/2011\/01\/screenshot_betterRelations_inRoundBarack.png?resize=350%2C200&ssl=1","width":350,"height":200},"classes":[]},{"id":694,"url":"https:\/\/joernhees.de\/blog\/2015\/08\/26\/scipy-hierarchical-clustering-and-dendrogram-tutorial\/","url_meta":{"origin":504,"position":3},"title":"SciPy Hierarchical Clustering and Dendrogram Tutorial","date":"2015-08-26","format":false,"excerpt":"[raw] This is a tutorial on how to use scipy's hierarchical clustering. One of the benefits of hierarchical clustering is that you don't need to already know the number of clusters k in your data in advance. Sadly, there doesn't seem to be much documentation on how to actually use\u2026","rel":"","context":"In &quot;Coding&quot;","img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":584,"url":"https:\/\/joernhees.de\/blog\/2014\/04\/23\/setting-up-a-local-dbpedia-3-9-mirror-with-virtuoso-7\/","url_meta":{"origin":504,"position":4},"title":"Setting up a local DBpedia 3.9 mirror with Virtuoso 7","date":"2014-04-23","format":false,"excerpt":"Newer version available: Setting up a Linked Data mirror from RDF dumps (DBpedia 2015-04, Freebase, Wikidata, LinkedGeoData, ...) with Virtuso 7.2.1 and Docker (optional) I just found this aged post in my drafts folder, maybe someone will still like it... So you're the guy who is allowed to setup a\u2026","rel":"","context":"In &quot;Coding&quot;","img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":526,"url":"https:\/\/joernhees.de\/blog\/2013\/06\/08\/mac-os-x-10-8-scientific-python-with-homebrew\/","url_meta":{"origin":504,"position":5},"title":"Scientific Python on Mac OS X 10.8 with homebrew","date":"2013-06-08","format":false,"excerpt":"(newer version of this guide) A step-by-step installation guide to setup a scientific python environment based on Mac OS X and homebrew. Needless to say: Make a backup (Timemachine) First install homebrew. Follow their instructions, then come back here. If you don't have a clean install, some of the following\u2026","rel":"","context":"In &quot;Coding&quot;","img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]}],"_links":{"self":[{"href":"https:\/\/joernhees.de\/blog\/wp-json\/wp\/v2\/posts\/504"}],"collection":[{"href":"https:\/\/joernhees.de\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/joernhees.de\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/joernhees.de\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/joernhees.de\/blog\/wp-json\/wp\/v2\/comments?post=504"}],"version-history":[{"count":2,"href":"https:\/\/joernhees.de\/blog\/wp-json\/wp\/v2\/posts\/504\/revisions"}],"predecessor-version":[{"id":789,"href":"https:\/\/joernhees.de\/blog\/wp-json\/wp\/v2\/posts\/504\/revisions\/789"}],"wp:attachment":[{"href":"https:\/\/joernhees.de\/blog\/wp-json\/wp\/v2\/media?parent=504"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/joernhees.de\/blog\/wp-json\/wp\/v2\/categories?post=504"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/joernhees.de\/blog\/wp-json\/wp\/v2\/tags?post=504"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}