
Always “hover” before you click? Wrong. - zdw
http://www.frameloss.org/2012/10/28/hover-fail/
======
timothya
This isn't new, and it's not as simple as not letting the browser change the
URL during the click event. This swapping of addresses is more complicated
that it even needs to be, all we need is:

    
    
        <a href="http://google.com" id="link">Google</a>
    

and some JavaScript running like this:

    
    
        document.querySelector("#link").addEventListener('click', function(e) {
            e.preventDefault();
            document.location = 'http://evil.com';
        }, false);
    

And this is a valid use case - perhaps we're in a web app and if the user
clicks the link, we want to perform an AJAX call for the data instead of the
normal link action - unless they're opening the link in a new tab, in which
case it should load as usual (from the URL given in the link). So this isn't
really a easily fixable problem.

~~~
jarrett
Agreed. The ability to do something other than what the href implies is a
small part of JavaScript's bigger purpose: To extend the capabilities of web
pages beyond the basic functionality of a browser. It's what makes the browser
more than just a dumb document reader, and it's a big part of what makes the
web attractive as a platform for app development. We shouldn't chip away at
it.

Rather than crippling JavaScript, we should focus on implementing a different
security principle: Merely visiting a web page should never be dangerous or
harmful. This has always been a goal of browser developers. Browsers run in a
sandbox for this reason. Although they will execute arbitrary, untrusted code
(i.e. JavaScript), by design that code has no access to your hard drive, other
web pages you visit, etc..

Were this principle implemented perfectly, the OP's concerns would mostly be
alleviated. Sure, some people will still download and run malware EXEs, or
enter their private data on a phishing site. But those who do will probably
not benefit much from hovering over a URL anyway. If you don't know better
than to hand the keys to the castle to random web pages, you probably don't
know how to spot a suspicious URL.

~~~
bjourne
As a Linux user, malicious exe-files doesnt concern me much, but random
joksters trying to get me to click on goatse-links does. It especially sucks
when you're at work and you thought it was a link to a page describing matrix
multiplication. I think that a modern browser should protect you against that.
After all, my economic loss is likely to be larger if my boss sees me staring
at a bleeding anus than if I catch a malware infection. Just like browser
these days detect malware sites they should also detect shock sites.

~~~
cmccabe
Who cares if your boss sees you click on a goatse link? He's probably been
pranked before; he knows how it works. Are you afraid that he thinks you're a
goatse afficionado? If so, you've got bigger, wider problems.

~~~
bjourne
Actually my boss has goatse man beaten when it comes to being a huge asshole.
But the picture would just make him jealous.

------
TeMPOraL
Isn't it what Google does? Try hovering over a search result, and then try
copying the URL. It's annoying like hell, btw., especially when you want to
copy-paste a link somewhere.

~~~
nicolasp
There's a firefox addon that fixes it:
[https://addons.mozilla.org/fr/firefox/addon/google-search-
li...](https://addons.mozilla.org/fr/firefox/addon/google-search-link-fix/)

~~~
pudquick
And a Chrome extension as well:

[https://chrome.google.com/webstore/detail/remove-google-
redi...](https://chrome.google.com/webstore/detail/remove-google-
redirects/ccenmflbeofaceccfhhggbagkblihpoh)

------
jd
Most of the time though the issue is we don't trust links in comments/posts on
websites we otherwise trust. Those websites don't allow people to inject
javascript code in their comments (but they often do allow people to change
the link text).

Of course, once you're willing to run arbitrary javascript code you can't
trust any mouse click anymore. Doesn't matter if the click is on a link or a
button or anywhere else. Disallowing href attribute modification doesn't help
one bit.

So the "hover" hint you get for links is still highly useful, especially on
sites you trust.

~~~
batgaijin
As a side note, how the hell has Google not fixed youtube and the "see this
movie early at this link -> <http://lol-th1s-url-is-craxxy.com>

I'd think writing a cheap algorithm to track those posts and who upvotes them
would be easy. Maybe they are doing a honeypot?

~~~
alecco
It's one click more for google, one more view of ads. It goes against their
interests.

------
NelsonMinar
Forget the Javascript tricks; the idea that an ordinary person can look at a
URL and decide if it is safe to open or not is ridiculous. Even if the browser
could 100% show people what URL would open that doesn't give users enough
information to then know if it's OK to click on it.

~~~
jebblue
I think what bugs people is that the browser could be seen as tricking the
user, even lying to the user; not whether the clickable link is bad but
whether we should trust what the browser tells us in a very fundamental way.

------
frameloss
Hi HN, so that's my site, and well, I'm feeling pretty dumb right now. I
really didn't think that post through--honestly I put more thought into
carving pumpkins yesterday. So, here's my retraction that I added to the top
of the post:

So, sometimes I am wrong. This attack does work, but it’s irrelevant, and
here’s why: if someone has control of the DOM the game is already over,
there’s nothing the browser can do for you in that case. It doesn’t really
matter that the hover-status can be spoofed at that point. I’ll leave the post
up so you can marvel in my stupid, but to summarize–nothing to see here. (At
least I’m not throwing banner ads at you.)

~~~
olalonde
Well, it says a lot for you that you admitted your mistake. Hope you will
become a regular HNer :) I'm actually quite surprised your post got so many up
votes considering this community is mostly dominated by web developers.

~~~
frameloss
Heh, thanks. I guess it's like the blogging equivalent of the no-pants public-
speaking dream.

------
bjhoops1
"I don’t know why this simple attack is allowed to work … browsers should not
allow the href to be modified on a link with the onClick handler."

It is often necessary to attach click handlers to anchor tags. For example,
let's say you have a link to an image, but when a user clicks on that link,
you don't want to navigate to the raw image - you want to open it in a
shadowbox. But if someone right clicks and copies the links URL, that will
take them to the raw image.

In terms of browsers "allowing" this to happen - anything beyond the ham-
fisted approach of just disallowing click handlers on all anchor tags would be
prohibitively complicated.

It _is_ something worth being aware of though - just because that link says
it's taking you to Google doesn't mean it won't take you somewhere less
savory!

------
pstadler
Really not worth a discussion as this functionality is probably around since
the first web browser implemented JavaScript. I don't know anyone who's
actually giving that "hover" target-preview attention anyway. On the other
hand, preventing this is not a solution. It would break patterns for AJAXified
navigation.

------
benmanns
There used to be a DOM attribute specifically for changing the window status
text, which was the same area used to display a hovered link URL.[0]

[0] <https://developer.mozilla.org/en-US/docs/DOM/window.status>

------
mmahemoff
This is an old trick people use to hide affiliate links and redirects via
tracking URLs, for example. It's not intrinsically evil as it's providing a
way to keep things working even if JavaScript isn't on, or the site is visited
by a bot, for example. It's really the basis of graceful degradation,
unobtrusive JavaScript, and the foundation of libraries like jQuery.

One interesting lesson here is if you reverse the logic. What if you have an
Ajax action triggered by JavaScript? My point is, you should generally trigger
actions from linked content instead of random controls like buttons (you can
of course place a button inside a link or style the link as a button). This
way, bots and non-JS browsers will still be able to follow it.

------
tlrobinson
What attack is "hovering" trying to prevent, phishing or executing a malicious
page?

If phishing, it's much more important to look at at the URL _after_ the page
is loaded. URL shorteners already obscure the actual destination much of the
time.

If malicious pages, well, if an attacker can present a link with a JavaScript
onclick handler they can most likely already inject an iframe or redirect you
to a malicious page.

------
guelo
Well, to satisfy all the Javascript Übermensch who are eagerly trashing the
hypertext foundations which made the web so successful, maybe browsers should
add some kind of hover styling to signify that it is a bullshit link that is
going to do secret magic stuff in the background, like tell thousands of
advertisers that you just clicked that bullshit link.

------
adrianN
One more reason to only allow scripts on sites you trust.

~~~
olalonde
No, the malicious page could simply send you a HTTP redirect header to
basically achieve the same result (redirecting you to a URL you didn't intend
to go) without Javascript.

------
madsr
And this is why we use Firefox with NoScript on unknown sites :-)

~~~
ygra
I wouldn't count Google as unknown ;-)

~~~
madsr
Google isn't, but the page providing the link (frameloss.org) is unknown (to
me).

------
pkorzeniewski
You can achieve exactly the same effect by setting "window.location.href" on
click event, so I don't see how preventing "href" from change will help.

~~~
talmand
I was thinking the same thing. It would seem that to do what he's suggesting
you would have to prevent any interaction between the anchor tag and
javascript. You can trigger window.location.href on hover for gosh sakes.

------
gst
The hint itself: That's complete nonsense and doesn't improve your security by
a bit. The only reason why you might want to do something like this (at work)
is if you don't want to follow non-worksafe links. And even then - what are
you going to do if it's a tinyurl or goo.gl link? Just not following?

The attack: This completely misses the point. If a site wants to mess with you
it doesn't need a link for that, it can just directly execute Javascript code
and do whatever it wants to do.

------
rplnt
When using middle click (i.e. open in new tab) the link still leads to the
google.com.

~~~
benmanns
Middle-clicking doesn't execute the `onclick` event in some browsers.
Likewise, right-clicking and hitting open link in new tab opened Google, but
middle clicking executed the `onclick` event.

------
shuw
Assuming the page you are already on is compromised / malicious. Then it link
baiting you to another compromised / malicious site is not your only worry.

------
rodh
I might be wrong but I believe facebook does this on any news article linked
by someone in your feed. It does so to load up the relevant publication's app
upon clicking a link, even though that link "appears" to be a deep link to the
article, when you hover over.

------
jdavid
Like with so much on the web, with great power comes great responsibility.
However, that is not super reassuring.

Most of the time I have seen sites do this so that the link is clear and easy
to read for the user, while adding utm_campaign codes and other junk that the
user does not care about.

However I am sure some sites use this behavior to .... trick users.

So we need to ask ourselves which is the greater good?

There might be a UX solution here, in how those links are shown, and maybe
there should be some rules about HTTPS links in pages. Maybe users could set a
setting that if the link is changed on click, that maybe, it would not
automatically go to the site, but would prompt the user, or at least inform
them on the landing page with some form of notification.

------
ricardobeat
Especially considering that you _can't_ hover in mobile phones or tablets.

~~~
dasil003
Which is what I thought this article would be about based on the title.

~~~
gagege
I was hoping it would be about the touchscreen issue. I think it's something
that needs more exposure.

~~~
dasil003
Yeah, that's a pretty nasty problem actually.

------
omarali
I only "hover" before clicking on suspicious links in emails.

~~~
bradwestness
Yeah, the hover trick is only recommended for looking at URLs in e-mails
before clicking them (no sane client would execute JavaScript contained in an
e-mail), but really you should just never click a link in an e-mail anyway and
open up a new window and type in the URL of the website.

Open a new browser window and type in PayPal.com rather than clicking any
links in that "You need to update your information or your account will be
shut down" e-mail.

Once you're actually on PayPal.com (or whatever), looking at the hover URLs is
pointless.

~~~
anonymfus
It's better to have trusted bookmarks than type any such URL because nobody
can be sure to be smarter than fisher.

~~~
bradwestness
If you have a PayPal account, having a bookmark for PayPal is not any more
secure than typing paypal.com into your browser's address bar.

~~~
anonymfus
What if I make mistake during typing? If typosquatting works then many people
do such mistakes, why I must think that I am special?

------
amalakar
Well google search has been doing this for ages. If you hover over the search
results links it would show the url of the page, but if you click on that it
goes to a google url which then gets redirected to the url you see. Google
does this so that they can keep track of which link you clicked. Other search
engine probably does the same, I haven't verified though.

------
MindTwister
Why are you making it all so difficult

    
    
        <script>
            window.location = 'http://example.com';
        </script>
    

Redirected.

Its not a bug, its a feature. What you should be worried about is what
<http://www.example.com> can do, can it execute arbitrary code, post to
facebook/twitter etc.?

~~~
MindTwister
If you decide you want to wait for some kind of user input:

    
    
        $('#element').mouseover(function(){ window.location .... });

------
beatgammit
Meh, just a bunch of FUD.

I do this in a few webapps where I cancel href events or redirect them to a
hash tag. It's actually quite useful.

------
josefresco
I seem to remember some recent articles on phishing indicating that the
assailants are not targeting the brightest among us but rather those easily
fooled. While this technique is alarming to those who know the mouse-over
technique I doubt this will apply for your average "mom and pop" phishing
scheme.

------
oneandoneis2
That's actually a slightly convoluted way around - you can also use JS to
cancel the browser's "normal" action for an element and have it do something
else - see jQuery example <http://api.jquery.com/event.preventDefault/>

~~~
danielwozniak
Actually you don't need that either.

onclick="window.location='<badurl>';return false;"

If you want to be even more shady you can use the 'onmouseover' event with the
same redirect as above. Which defeats the look before you leap approach of
hovering before clicking.

onmouseover="window.location='<badurl>';return false;"

------
3825
hold on guys, can someone explain me what the browser is doing wrong here? I
mean the source says it will take me to /utils/onclick.html which is exactly
what the tooltip says as well. Please help me understand?

<http://i.imgur.com/8PrfP.png>

~~~
jopt
If you click that, it opens a demo with a link that's ostensibly to google,
but actually goes somewhere else.

~~~
3825
Thank you for your reply. I am still confused though. The tooltip clearly says
frameless.org

<http://i.imgur.com/9g56l.png>

~~~
ajanuary
Did you already open the link before that screenshot?

The script the OP uses replaces the href, so once you click it, it'll reflect
the true destination.

As others have mentioned, you can get around that by doing a redirect and
cancelling the link action instead. Then it will always show the fake target.

------
njharman
In chrome hovering shows "hover test" in popup and the frameloss.org link in
status bar.

------
dutchbrit
This trick use to be used a lot in "adult" galleries about 10 years back.

------
monkeynotes
"Honestly, I don’t know why this simple attack is allowed to work..."

If this 'attack' didn't work then a large amount of what I do every day would
become a lot more complicated.

------
jondot
Reminds me of the late 90's along with scrolling titles.

------
Zak
I think they do something different now, but reddit used to do this to track
clicks on outbound links.

------
jeffxl
Breaking news: It's possible to be a jackass on the internet. This time, with
javascript!

------
xutopia
window.status all over again!

