Neil Turner's Blog

Blogging about technology and randomness since 2002

Button in link security flaw

Go to this page and click on the link, and then see where you end up. In Firefox, you end up at the page shown in the status bar, as you’d expect, but in IE, you don’t.
The reason is that the link isn’t just a link – it’s a styled button with a link wrapped around it. The link points to a file called ‘success.html’, but the button submits a form to ‘failed.html’. Firefox treats the button as a link but IE treats the button as some kind of link/button hybrid. The status bar shows where the link points to, but when you click the button, which I’ve disguised using CSS to look like a link, it goes to the form output. Therefore, an unsuspecting user could think they’re clicking on a link to one site (say, paypal.com) but actually going to another (dodgysite.com).
The reason why I’m concerned about this is that an example is in the wild. A variant of the Terrakt in Australia trojan-thingy used this to trick me into going to aicworld.info instead of antivirus.com (or rather it would if Thunderbird hadn’t marked the message as spam and had therefore santised the HTML, thus removing all form elements).
I only have IE, Mozilla and Firefox on here so I can’t test other browsers, but I’d be interested to see how other browsers treated this.
Added: I downloaded Opera 7.23, and it failed the test, however the button appeared more like a button than a normal link and didn’t show any URL in the status bar. Lynx would show the button but say that the document had hidden links.
Update: Codefish have a write up about the variant of the trojan which exploits this flaw. As Jeff posted, it looks like Microsoft are aware of the problem.

6 Comments

  1. Safari 1.2.1 (v125.1) running on Mac OS 10.3.3 failed the test, but as per your experience with Opera 7.23 the button appeared to be a button rather than a link – but it did show ‘success.html’ in the status bar before I pressed it.

  2. This could be made much worse if the spammer was using CSS2 to make the cursor look like a hand instead of an arrow. Luckily, I use Firefox, but I’m afraid for my parents, who refuse to use anything but IE.

  3. In Safari the cursor is a hand… but like Paul said, it is still rendered as a button not a hyperlink.

  4. Using MyIE2 (which is built on IE) the cursor is a hand, it looks like a link and the browser fails the test.

  5. This bug was previously posted to the Full Disclosure mailing list.
    One thing to keep in mind is that the status bar text has always been scriptable in IE anyway. You should always rely on the Address Bar to make security decisions about what site you are really at.
    This is definatly a bug as far as Outlook Express is concerned, since the status bar is not scriptable in OE.

  6. Well since I’ve broken Internet Explorer, I thought I’d try this in Lynx. It does take you to the incorrect address, but it does display the incorrect address in the status bar as well – so it’s obvious where you are going.