Last Tick Link Swap
Consider the following link: Amazon.
If you hover over the link, you will see that it points to https://amazon.com. We then expect that the browser should take you to Amazon once you click it. But, if you click the link, you may be suprised where it takes you...
- Website Redirects high-profile sites (e.g. Amazon, Facebook, etc.) to a phishing site that has been made to look the same but steal user credentials
- Phishing email contains a link to phishing site that looks like the actual site, and the links on hover look all like legitimate links but are then redirected after to the phishing site's next page
- Insert and/ or remove affiliate codes from links, similar to this bleeping computer article: Malicious browser extensions targeted almost 7 million people
- Extract cookies from a user viewing a website by redirecting them to an attacker's site with the cookies in the heading
- Data leakage from sending the current page's contents to an attackers' site which is set up to automatically redirect to the intended target but log the data that was transferred
From the HTML living standard 15.7.1: "User agents are expected to allow users to discover the destination of hyperlinks and of forms before triggering their navigation.".
|Firefox||Desktop||107.0.1 (64 bit)||Yes|
|Ungoogled Chromium||Desktop||88.0.4324.150 (x86_64)||Yes|
Example Cookie: Send Money with Auth Cookie!
Thank you to Sergey Bilovytskyy for hosting the off origin page to exemplify this PoC.