Always "Hover" Before You Click!? Wrong.

RETRACTION: So, sometimes I am wrong. This attack does work, but it’s irrelevant, and here’s why: if someone has control of the DOM the game is already over, there’s nothing the browser can do for you in that case. It doesn’t really matter that the hover-status can be spoofed at that point. I’ll leave the post up so you can marvel in my stupid, but to summarize–nothing to see here. (At least I’m not throwing banner ads at you.) Also, my apologies to those whose comments were here, when I moved off of wordpress I decided that a comment system wasn’t something I wanted to retain on my blog, and during the move none of the existing comments were imported into the new site.
One of the things you hear frequently is to be aware of what you are clicking on when you surf.  That you should “hover” over the link before clicking it to make sure it goes where you think it does.  Hell, I’ve personally given this very advice to people who clicked on something stupid. I guess I’m a liar.  Because it isn’t true. I actually put five minutes into thinking about this very advice today, because something didn’t sit right with me about that statement.  It took all of a minute to throw some html and javascript together that gets past it.  Maybe everyone already knows this, and somehow I was asleep on the day that it was being covered in the literally hundreds of papers, articles, howtos, books, and presentations I’ve attended, read, or skimmed.  Your browser will show you what the link is when you hover over it.  But that doesn’t mean that the link is the same by the time you have released your mouse click.
(onclick.html) download
1
2
3
4
5
6
7
8
9
10
11
<!doctype html>
<head>
<script>
        function tricked() {
                document.getElementById("naughty").href="http://www.frameloss.org";
        }
</script>
</head>
<body>
<a href="http://www.google.com" onclick="tricked()" id="naughty">www.google.com</a>
</body>
Honestly, I don’t know why this simple attack is allowed to work … browsers should not allow the href to be modified on a link with the onClick handler. Want to see it in action?  Here’s a link to the above code.