Advisory: The link tooltip and the statusbar can be misleading
Platform: All desktop versions
Summary
Opera's status bar shows the "title" attribute of a form input image, not the form's "action" URL. This may mislead the user.
Severity: Very low
Problem description
It is possible to make a form input that looks like an image link. If the form input has a "title" attribute, the status bar will show the "title". A "title" which looks like a URL can mislead the user, since the title can say http://nice.familiar.com/, while the form action can be something else.
Opera's tooltip says "Title:" before the title text, making a spoof URL less convincing. A user who has enabled the status bar and disabled tooltips can be affected by this. Neither of these settings are Opera's defaults.
This exploit is mostly of interest to users who disable JavaScript. If JavaScript is enabled, any link target or form action can be overridden by the script. The tooltip and the statusbar can only be trusted to show the true location if JavaScript is disabled.
Opera's response
Opera has released version 8.52, which displays the form action URL in the status bar, and both the "title" and the action URL in the tooltip.
Credits
Thanks to Secunia for pointing out how the "title" attribute could be abused to trick the user.
Last edited: 2006-02-17; Category: Security advisories; Keywords: ; Index: 819
Search our knowledge base: