Search Opera's knowledge base:


Or, you may browse the articles.

Advisory: The link tooltip and the statusbar can be misleading

Platform: All desktop versions

Summary

Opera's status bar shows the "title" attribute of a form input image, not the form's "action" URL. This may mislead the user.

Severity: Very low

Problem description

It is possible to make a form input that looks like an image link. If the form input has a "title" attribute, the status bar will show the "title". A "title" which looks like a URL can mislead the user, since the title can say http://nice.familiar.com/, while the form action can be something else.

Opera's tooltip says "Title:" before the title text, making a spoof URL less convincing. A user who has enabled the status bar and disabled tooltips can be affected by this. Neither of these settings are Opera's defaults.

This exploit is mostly of interest to users who disable JavaScript. If JavaScript is enabled, any link target or form action can be overridden by the script. The tooltip and the statusbar can only be trusted to show the true location if JavaScript is disabled.

Opera's response

Opera has released version 8.52, which displays the form action URL in the status bar, and both the "title" and the action URL in the tooltip.

Credits

Thanks to Secunia for pointing out how the "title" attribute could be abused to trick the user.

Last edited: 2006-02-17; Category: Security advisories; Keywords: ; Index: 819